RE: Vulnerability & Exploit Signatures

["Kyle Quest" <Kyle.Quest () networkengines com>]

> Do all these vendors license the same set of "base" filters from, say,
> Sourcefire / Snort derived rule source in the back?

Not exactly (especially in the past... before Sourcefire pulled 
the "bait and switch" trick; just to be clear, I'm not saying
they are bad for doing it... it's business and they are trying
to make money... there's nothing wrong with that). 

There's a small number of companies (besides Sourcefire)
that put Snort on an appliance. In these cases it is
true that they use snort rules, but, I guess, it doesn't
make sense to do otherwise :-)

There's a number of IDS and IPS solutions that are
capable of converting snort rules into their native
format. I will not name any commercial companies,
but I'd like to mention Bro IDS as an open source example
( www.bro-ids.org ), which is being developed
by Vern Paxson (who's name should be familiar
to anybody who's serious about networking) 
and a number of contributors. In Bro, there's
a script that takes snort signatures into Bro
signatures.

Let's not forget security hardware acceleration
vendors. It's very popular for them to use snort
to demonstrate their hardware acceleration technology,
but it's upto OEMs that those cards to use Snort
or to put their own IDS or IPS technology on top.

Just like Dodge said, most IDS and IPS
vendors do use Snort as a resource. It would be
crazy to do otherwise; however, they use it
only as a reference (for a number of reasons).
One of those reasons is that the architecture
is very different and it's impossible to directly
map snort signatures to what they have. Another
good reason IDS/IPS vendors wouldn't want to use
snort signatures "as is" is because snort is far
from perfect when it comes to its detection
capabilities. Snort has a lot of limitations
that an IDS/IPS vendor wouldn't want to inherit
(I am not putting down snort here. I think it's
a great IDS that can do a lot. I'm simply pointing
out that it still has a lot to improve).
And if we talk about top IDS/IPS vendors, they
usually develop their signatures or code updates
before snort has something. When snort signatures
or preprocessors come out, they simply use it
as a validation mechanism or as a marketing research
to identify snort signature's weaknesses.

Kyle



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------