Re: News, dumbug, prediction rebuttals.

[Anton Chuvakin <anton () chuvakin org>]

Thomas and all,

> (1) To paraphrase jwz, "Some people see a problem and say, 'hey, I'll
> use regular expressions to solve it!'. Now they have two problems."
> On Checkpoint Firewall-1 and Cisco PIX, you will have to convince me
> that my SIM needs to care about 10% of the possible log messages, or
> that those 10% are hard to recognize.

Well, as they say "great question" :-) There are two popular answers
to this one; some say that you are always interested in 100% of all
messages by definition, since you truly never know which one might
come handy under the right circumstances. Yes, even the silly
"%PIX-6-199003: Reducing Link MTU <dec>" might come handy one day...
In fact, the above opinion that you project indicates a somewhat dated
view on SIM as a "filtering tool."

BTW, before my vendor hat burns my head :-), I want to disclaim that I
disagree with your prediction on merits and not to sell more of the
relevant product (I would love to see how a popular future open source
SIM will stack up again the current pricy commercial offerings...)

> (2) There are, last time I counted, 17,293 different templating
> ...
> entry" you're talking about? Have you looked at Freshmeat lately?
Point taken! :-) But writing a "Python application server" *once* is
not the same as committing to writing and updating regexes for logs
for the rest of your life...

> Anton, your product isn't dumb, boring, or particularly hard to
> replicate as an 80% solution. At my last job, we concerned ourselves
> with "bucketing" one out of every 100 connections made across the
> backbones of every service provider in the world. We were concerned
> about open-source competition. Why are you immune?

Well, I do not think that I am immune; its just that the credible
open-source competition didn't materialize and, as I stated above,
likely won't materialize. And, indeed, creating a SIM is a very
exciting thing!! However, the ongoing maintenance tasks are much more
complicated than maintaining a, say, NIDS implementation.

> If there's a real need in the market for SIM products (and I'll state
> that as an "if", because, while my 2006 prediction implicitly gives
> SIM the benefit of the doubt, I haven't talked to a network security
> guy who relies on one yet), then over the next 12 months we're going
> to see a credible open-source response to it.

He-he, this is where is gets dangerous :-) And fun at the same time. 
Is that a common wisdom that market need always leads to an emergence
of an open source solution?

Best,
--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
     http://www.chuvakin.org
http://www.securitywarrior.com