Re: IDS vs. IPS deployment feedback

[Stefano Zanero <zanero () elet polimi it>]

Andrew Plato wrote:

> Furthermore, Snort rules are developed by volunteers (or Sourcefire). As
> such, SNORT is usually behind the curve on new signatures. 

I suppose you have actual figures for this ? Because I'd have to claim
it FUD otherwise. Compare with the response time of commercial and open
source anti viruses, and you'll see that this claim is at best unproven.

> ISS, for
> example, does their own independent security research an has signatures
> to protect against things that Snort people don't even know about. 

And I suppose people who work for Sourcefire, or people who contribute
rules to the Snort signatures base, don't do vulnerability research ?

I know that many researchers develop signatures along with their
advisory. We've seen that.

Are you implying that ISS knows about zero-day vulnerabilities it hasn't
alerted vendors to ? I think that ISS always claimed to be for
responsible disclosures of their findings. Has this changed, recently ?

> vendors buy exploits from the hacker market - again giving them access
> to vulnerabilities long before it hits the public

Same as above applies. Buying vulnerabilities and exploits and not
publishing them is highly unethical. I wouldn't buy anything from a
vendor who claimed to do that.

Besides, "good" zero days stay in the closet for a long time. They get
sold when they already leaked to the outer circles of the scene.

As far as the "who has the rules first", in fact, I remember Snort
implementing a way to import the so-advanced, bleeding-edge ISS rules...
oh wait, or was it the other way round ? :)

Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------