Re: ISS RealSecure/SiteProtector or another IDS/firewall client?

[Jeff Nathan <jeff () snort org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ugh.

Mark, for the love of god, please don't do the 0 thing when referring 
to Snort. :)

Certainly ISS site protector is an attempt to be many things to many 
people.  However, in its attempt to do so it missed one key ingredient: 
the ability to do any of those things sufficiently fast enough for a 
deployment requiring scalability of alert handling.  Presupposing a 
centralized alert console performs post-processing of data, the need to 
accept high data rates is for all intents and purposes, a firm 
requirement.

Whether or not a company approved of the use of Snort before they 
purchased Sourcefire products, the irony is that they certainly 
approved of them (in some way) after purchasing them. :)

- -Jeff

On Nov 26, 2003, at 5:57 PM, Teicher, Mark (Mark) wrote:

> "
> Up to now, this isn't verified by any supporting authority but a lot 
> of the IDS's out there are using the opensource technologies under the 
> covers with proprietary changes. Look at sourcefire the underbelly is 
> Snort (I know that Marty Roesch created Snort and started Sourcefire) 
> but it is just an example of what technologies are using."
>
> Yes, there are quite of few product in the NIDS space that utilize 
> Sn0rt signatures, most of them not well, or they have mutilated some 
> of the IDS signatures so they do not have to abide by any software 
> license agreements or opensource (as in acknowledge they are using 
> opensource code) in their products.  A majority of them do not have 
> enough coverage or enough detail other than an IDS signature was 
> triggered.  SourceFire is the commercial version of Sn0rt which has 
> lots of bells and whistles and gets Sn0rt into major corporations who 
> have played with Sn0rt but could not get upper management to approve 
> opensource code into production environments.
>
> Sn0rt is vastly different from ISS, as are other products in the 
> NIDS/NIPS space. NAI Intruvert straddles both worlds, and have some 
> IDS signatures that are not in either Sn0rt or protocol decodes that 
> can be seen in IDS Proventia M/ISS Site Protector.
>
> I would agree that ISS Site Protector is not easy to install and 
> configure, but what other commercial products combines that many 
> products to one console and succeeds without killing boxes left and 
> right.  Some products that attempt to advertise that much 
> functionality lack the depth in some of the features they advertise as 
> their competitive edge and others just plain broken.
>
> /m

- --
http://cerberus.sourcefire.com/~jeff       (gpg/pgp key id 6923D3FD)
"Common sense is the collection of prejudices acquired by age
eighteen."   - Albert Einstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/xvhGEqr8+Gkj0/0RAp3RAKC1ex+yjU4ReQ9eaAreVBGucDi2qACfc7t2
wcu6pd0MIkm4yAeULbhD9U4=
=PPOE
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
---------------------------------------------------------------------------