Firewall Wizards mailing list archives
Re: Recording slow scans
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Wed, 14 Oct 1998 10:27:11 -0400
Crispin writes:
I don't see a whole lot of open-source IDS-ware floating around. On the other hand, there is a lot of commercial, closed-source IDS products out there.
As far as I'm aware, NFR is the only open source commercial IDS tool out there. There are a couple of other IDS systems that you can get source for, if you're in the gov't. But my impression is that you wouldn't want it once you had it. There are other good pieces of software out there (Bro, Argus, NNstat, tcpdump) which can be used to make IDS-ware. It's just a matter of putting your code where your mouth is.
If there was an IDS toolkit,
there is.... That's what NFR *IS* ...then open source coders could write
cleaver new instruments, finte tune stuff, debug stuff, contribute enhancements back into the community ... you know, that cool stuff that open-source people tend to do if you let them.
That *COULD* but they haven't been so far. NFR has been out for quite a long time and the amount of actual contributed stuff from the community (Hi Mudge! Hi Stuart!) has been disappointingly small. We've welcomed it all along, and have tried to encourage it - our approach of using an interpreted language means that the whole system is completely open to such things. The notion of people writing clever new stuff, fine tuning, and contributing back to the community sounds very nice in a kind of armchair pink sort of way but that's not the reality of how things are working at this point in the 'net's development. Especially not with something like IDS that is seen as so valuable. We know there are lots of con$ultants out there taking NFRs and writing IDS and monitoring tools and selling them to customers - not contributing back to the community or even to the folks who built the software they're making the money off of. :( (*AND* they are violating our license by doing so) So don't lecture about how sweet it'd be if everyone just pitched in - Everyone has had plenty of chances to just pitch in and as far as any of us can tell the majority are just sitting back and whining that it's not turnkey and doesn't have 8,000 attack signatures already.
This kind of open source development model seems particularly well-suited to the IDS problem, where you have the following characteristics:
Of course I agree with you. That's why we made our software open source...
* Needs lots of fine-tuning: many hands can do that in parallel
...but they're not.
* Data-dependent: different people have access to different data sources
Yeah, thought of that, too.
* Different information streams: IDS instruments can be inserted in lots of places, if they can find a convenient fire-alarm to pull
Yup.
An IDS-TK seems like a very fine thing indeed. Is there one?
We think so. BTW, NFR's license terms are basically the same as the firewall toolkit's were (Yeah, I did that, too). Fwtk was a big success. *BUT* don't give me a lot of crap about how much the community contributed there, either. There were a few patches and Wietse Venema contributed some assistance, but in general it was the same thing: whine, whine, whine, why don't you just give us a free firewall that does everything checkpoint does and more and by the way I need to have no clues to install it? I'm a big proponent of open source but I think that NFR is the last time I'm going to do that. Next time I develop a cool concept, it'll be patented 20 ways to sunday, venture-backed, 100% proprietary, and I'll start suing anyone who even talks about making a free product that remotely resembles it. :) I find it amusing that you're having this discussion with Darren, who also has done considerable good work in the community by making ip_filt available. I don't know if his experience matches mine, but I doubt he's gotten a whole lot of "pitching in" from all over the 'net. Tell me Darren, what's the whine-to-help ratio on ip_filt? For the fwtk, I'd put it at 100:1 and for NFR it's closer to 2000:1. But hey don't take my word for it. Write a GPL IDS toolkit for us, post it, and watch everyone make money off you while asking you to support them. It'll give you a warm feeling. :) mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Recording slow scans Darren Reed (Oct 05)
- Re: Recording slow scans Paul D. Robertson (Oct 05)
- Re: Recording slow scans Stephen P. Berry (Oct 07)
- Re: Recording slow scans Marcus J. Ranum (Oct 07)
- Re: Recording slow scans Stephen P. Berry (Oct 09)
- Re: Recording slow scans Darren Reed (Oct 13)
- Re: Recording slow scans Crispin Cowan (Oct 14)
- Re: Recording slow scans Darren Reed (Oct 14)
- Re: Recording slow scans Marcus J. Ranum (Oct 14)
- Re: Recording slow scans Adam Shostack (Oct 14)
- Re: Recording slow scans Marcus J. Ranum (Oct 14)
- Re: Recording slow scans Darren Reed (Oct 14)
- Cisco's L2F Andy Burns (Oct 14)
- Re: Cisco's L2F Jesús Cea Avión (Oct 16)
- Re: Recording slow scans Stephen P. Berry (Oct 07)
- Re: Recording slow scans Paul D. Robertson (Oct 05)
- Re: Recording slow scans Bennett Todd (Oct 14)
- Re: Recording slow scans Marcus J. Ranum (Oct 14)
- Re: Recording slow scans Chuck Benson (Oct 14)
- Re: ifconfig down (was Re: Recording slow scans Doug Hughes (Oct 13)
- Re: ifconfig down (was Re: Recording slow scans Henry Hertz Hobbit (Oct 13)
- Re: ifconfig down (was Re: Recording slow scans Radovan Semancik (Oct 14)