RE:"trons" Rules

[counter.spy () gmx de]

CORRECTION:

Sorry, but I had some errors in my previous post
(Thanx for the hint, Bob ...boy am I read...)
But that should not keep you from discussing the issue of protocol analysis,
which is still unclear to me ;-)

So here is the corrected post:

> Hey all,
> having read the information about 
TRONS 
> on Robert Graham's website I decided to
> trigger a little discussion on protocol analysis - an issue that has been
on
> my mind
> for some time now:

> Robert Graham is known as a protocol geek and he prays his protocol
> analysis.
> Alright, as far as I know snort does perform some kind of protocol
analysis.
> In his document 0103cansec.ppt (to be found in the "slides" directory on
his
> site)
> he compares "snortlike" pattern match against  protocol analysis 
IN GENERAL
> - all very lucid, bene.

> Now can somebody, please explain the difference between 
SNORT 
> protocol analysis and BlackICE protocol analysis 
> (might be somehow difficult, as the BlackICE product, now
> being integrated into RealSecure, was, still is and will 
probably 
> forever be closed source).

> I know that BlackICE detected all the NSS Group attacks, but I also know
> that snort
> made an excellent job as well, despite the fact, that they had a rather
> outdated version. 

CORRECTION: Version 1.8.1 actually WAS THE ACTUAL version at
the time of testing.

> Any comments that are based on technical facts are greatly appreciated,
> because this informatin  could be of great help for my diploma thesis :-)

> In addition, here are some snips of the TRON page (commented by me ;-) )

> "....TRONS was reverse engineered from Snort signatures.."
> [snip]
> big deal, its opensource! :-)

> "...I didn't look at Snort source more from a politeness issue rather than
> anything else..."
> [snip]
> Oh..., wow! ;-)


> "...How does BlackICE compare to Snort? 
> I prefer protocol-analysis for IDS signatures over pattern-match, of
course,
> which is why I chose that technology instead of pattern-match. The thing to
> remember is that it is a different techique that gives you different
> results.
> We can argue which results most people would prefer, but it would be
foolish
> to say that one technique is always better than another. In any case, this
> is the wrong paper for such a discussion. "
> [snip]
> well...

> so, lets discuss BlackICE protocol-analysis versus snort protocol-analysis
> here on this list. I think this would be a proper discussion, comparing
> things that are compareable ;-)

I still dont know the difference in detail! In the 0103cansec.ppt doc Mr.
Graham writes:

"What is protocol-analysis?
It is not a database of signatures!
Yes, about half the intrusions detected are based on a pattern, but it is an
exact match."

I think the difference between snort protocol analysis and BlackICE protocol
analysis
is, that snort does not decode all the "higher OSI layer protocols" that
BlackICE decodes.
As far as I know, the only application snort currently decodes is FTP.
Is this correct? 

> In order to anticipate any complaints or misunderstandings:
> This is not criticism of Robert Grahams work or Robert Graham himself.
> In the opposite, I have great respect for this man and his work and very
> much
> appreciate that he is always sharing his knowledge with the public.
> I just would like to heat some discussion ;-)

> Greetings,
> D. Liesen

Have a nice weekend!
-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net






-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users