Re: Recording slow scans

["Marcus J. Ranum" <mjr () nfr net>]

Crispin writes:
> I don't see a whole lot of open-source IDS-ware floating around.  On the
> other hand, there is a lot of commercial, closed-source IDS products out
> there.

As far as I'm aware, NFR is the only open source commercial IDS
tool out there. There are a couple of other IDS systems that you
can get source for, if you're in the gov't. But my impression is
that you wouldn't want it once you had it. There are other good
pieces of software out there (Bro, Argus, NNstat, tcpdump) which
can be used to make IDS-ware. It's just a matter of putting your
code where your mouth is.

> If there was an IDS toolkit,

        there is.... That's what NFR *IS*

...then open source coders could write
> cleaver new instruments, finte tune stuff, debug stuff, contribute
> enhancements back into the community ... you know, that cool stuff that
> open-source people tend to do if you let them.

That *COULD* but they haven't been so far. NFR has been out for
quite a long time and the amount of actual contributed stuff from
the community (Hi Mudge! Hi Stuart!) has been disappointingly small.
We've welcomed it all along, and have tried to encourage it - our
approach of using an interpreted language means that the whole
system is completely open to such things.

The notion of people writing clever new stuff, fine tuning, and
contributing back to the community sounds very nice in a kind of
armchair pink sort of way but that's not the reality of how things
are working at this point in the 'net's development. Especially
not with something like IDS that is seen as so valuable. We know
there are lots of con$ultants out there taking NFRs and writing
IDS and monitoring tools and selling them to customers - not
contributing back to the community or even to the folks who built
the software they're making the money off of. :(   (*AND* they
are violating our license by doing so)    So don't lecture about
how sweet it'd be if everyone just pitched in - Everyone has had
plenty of chances to just pitch in and as far as any of us can
tell the majority are just sitting back and whining that it's not
turnkey and doesn't have 8,000 attack signatures already.

> This kind of open source development model seems particularly well-suited to
> the IDS problem, where you have the following characteristics:

Of course I agree with you. That's why we made our software
open source...

>   * Needs lots of fine-tuning:  many hands can do that in parallel

...but they're not.

>   * Data-dependent: different people have access to different data sources

Yeah, thought of that, too.

>   * Different information streams:  IDS instruments can be inserted in lots
>     of places, if they can find a convenient fire-alarm to pull

Yup.

> An IDS-TK seems like a very fine thing indeed.  Is there one?

We think so. BTW, NFR's license terms are basically the same as
the firewall toolkit's were (Yeah, I did that, too). Fwtk was a
big success. *BUT* don't give me a lot of crap about how much
the community contributed there, either. There were a few patches
and Wietse Venema contributed some assistance, but in general
it was the same thing: whine, whine, whine, why don't you just
give us a free firewall that does everything checkpoint does and
more and by the way I need to have no clues to install it?

I'm a big proponent of open source but I think that NFR is the
last time I'm going to do that. Next time I develop a cool
concept, it'll be patented 20 ways to sunday, venture-backed,
100% proprietary, and I'll start suing anyone who even talks
about making a free product that remotely resembles it. :)

I find it amusing that you're having this discussion with Darren,
who also has done considerable good work in the community by
making ip_filt available. I don't know if his experience matches
mine, but I doubt he's gotten a whole lot of "pitching in" from
all over the 'net. Tell me Darren, what's the whine-to-help
ratio on ip_filt? For the fwtk, I'd put it at 100:1 and for
NFR it's closer to 2000:1.

But hey don't take my word for it. Write a GPL IDS toolkit for
us, post it, and watch everyone make money off you while asking
you to support them. It'll give you a warm feeling. :)

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr