IDS mailing list archives
RE: Vulnerability & Exploit Signatures
From: "Kyle Quest" <Kyle.Quest () networkengines com>
Date: Thu, 16 Jun 2005 12:35:29 -0400
Do all these vendors license the same set of "base" filters from, say, Sourcefire / Snort derived rule source in the back?
Not exactly (especially in the past... before Sourcefire pulled the "bait and switch" trick; just to be clear, I'm not saying they are bad for doing it... it's business and they are trying to make money... there's nothing wrong with that). There's a small number of companies (besides Sourcefire) that put Snort on an appliance. In these cases it is true that they use snort rules, but, I guess, it doesn't make sense to do otherwise :-) There's a number of IDS and IPS solutions that are capable of converting snort rules into their native format. I will not name any commercial companies, but I'd like to mention Bro IDS as an open source example ( www.bro-ids.org ), which is being developed by Vern Paxson (who's name should be familiar to anybody who's serious about networking) and a number of contributors. In Bro, there's a script that takes snort signatures into Bro signatures. Let's not forget security hardware acceleration vendors. It's very popular for them to use snort to demonstrate their hardware acceleration technology, but it's upto OEMs that those cards to use Snort or to put their own IDS or IPS technology on top. Just like Dodge said, most IDS and IPS vendors do use Snort as a resource. It would be crazy to do otherwise; however, they use it only as a reference (for a number of reasons). One of those reasons is that the architecture is very different and it's impossible to directly map snort signatures to what they have. Another good reason IDS/IPS vendors wouldn't want to use snort signatures "as is" is because snort is far from perfect when it comes to its detection capabilities. Snort has a lot of limitations that an IDS/IPS vendor wouldn't want to inherit (I am not putting down snort here. I think it's a great IDS that can do a lot. I'm simply pointing out that it still has a lot to improve). And if we talk about top IDS/IPS vendors, they usually develop their signatures or code updates before snort has something. When snort signatures or preprocessors come out, they simply use it as a validation mechanism or as a marketing research to identify snort signature's weaknesses. Kyle -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Vulnerability & Exploit Signatures Jackson Yu (Jun 15)
- Re: Vulnerability & Exploit Signatures dgr8hunt (Jun 16)
- Re: Vulnerability & Exploit Signatures Kelly Dowd (Jun 16)
- Re: Vulnerability & Exploit Signatures Matt Jonkman (Jun 16)
- Re: Vulnerability & Exploit Signatures MadHat (Jun 16)
- Re: Vulnerability & Exploit Signatures M. Dodge Mumford (Jun 16)
- <Possible follow-ups>
- RE: Vulnerability & Exploit Signatures Kyle Quest (Jun 17)
- RE: Vulnerability & Exploit Signatures Marc Maiffret (Jun 17)
- Re: RE: Vulnerability & Exploit Signatures tk (Jun 20)
- RE: Vulnerability & Exploit Signatures Ofer Shezaf (Jun 20)
- Re: Vulnerability & Exploit Signatures Joel Esler (Jun 21)