Re: Snort vs Hogwash vs bait future

[Shaiful <shaifuljahari () yahoo com>]

Hi,

FYI, I'm not a developer for any of the IDS/IPS
product but I'm a lame user ;-). I've been following
IDS/IPS technology from their infancy.

First a bit of history. Snort started as open source
project around 1999 and Hogwash started as open source
project around 2001. Bait and Switch (B&S) started
this year, 2003. It looks promissing since we have a
new and shining IDS/IPS every two years! Each of them
really has different focus, depending on the security
direction at that particular time. But, to filter the
noise, and to understand the similarity and the
difference we should go back to basic. What is the
framework that really join everything together? We
could start with Staniford's excellent paper on the
CIDF, a Common Intrusion Detection Framework.  We
could argue that IDS is not an IPS, but really IPS is
just IDS with prevention mode enable.

So, from the framework we can see that each of the
IDS/IPS product can be divided into rather similar
logical modules namely Event, Analysis, Response and
Database Engine. I seems to me now, all these IDS/IPS
is forking in term of analysis engine which can be
shared among all open source IDS/IPS. Unfortunately,
the direction is not really encouraging since Snort
has its own Snort2 engine whereas Hogwash has its own
H2 engine. I think B&S using snort analysis engine,
may be until they figure out how to make their own
analysis engine. 

IMHO, the difference in the same basic analysis
component is not necessary since all of them reading
the VERY SIMILAR snort rule file format.  The rule for
might not be identical, but the difference is not
significant. May be we could follow Mozilla direction
where netscape, mozilla and galeon, all shared the
same HTML and standard compliant rendering engine.

My two cents,

Regards,
Shaiful

--- Jochen Vogel <jvogel () it-sec de> wrote:
> hi,
>
> a little discussion for a change
>
> what are the pro and cons between snortinline,
> hogwash and bait now and in
> future as open source ips
>
> greetz
> jo
------------------------------------------------------------------------------
> INTRUSION PREVENTION: READY FOR PRIME TIME?
>  
> IntruShield now offers unprecedented Intrusion
> IntelligenceTM capabilities - 
> including intrusion identification, relevancy,
> direction, impact and analysis - enabling a path to
> prevention. 
>  
> Download the latest white paper "Intrusion
> Prevention: Myths, Challenges, and Requirements" at:
> http://www.securityfocus.com/IntruVert-focus-ids


__________________________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo
http://search.yahoo.com

------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?
 
IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - 
including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. 
 
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids