RE: Vulnerability & Exploit Signatures

["Marc Maiffret" <mmaiffret () eeye com>]

| -----Original Message-----
| From: Kelly Dowd [mailto:loris65 () gmail com] 
| Sent: Thursday, June 16, 2005 5:26 AM
| To: Jackson Yu
| Cc: focus-ids () securityfocus com
| Subject: Re: Vulnerability & Exploit Signatures
| 
| I doubt there is any licensing of base signatures between 
| vendors (signature engines vary greatly between products, you 
| can't just 'use'
| another products sigs).   You will find that some developers look at
| existing signature sets to get 'ideas', but it's far from a 
| one-for-one copy.  Companies must develop their own sigs just 
| like they develop their own appliances... it's a total package.
| 
| -Kelly D.

One of the fastest growing (based on number of new companies, not
revenues) segment of security companies, from a product perspective, are
companies who do not have much intellectual property beyond nice web
management interfaces. To be more specific it is the huge growth in
companies who have built security "appliances", web interfaces on top of
Nessus and Snort. Obviously this fast growing area of "I want to be a
security company to" has died down a bit as investors have started to
realize you need more than pretty reporting on top of someone else's
open source project. There are obvious exceptions though with the lead
developers/creators from both Nessus and Snort starting up their own
companies based off the open source projects they work on. 

Some companies that start by ripping off, I mean borrowing, open source
tools eventually do try to branch out and develop their own
signatures/checks/engine moving forward. nCircle is a good example of a
company starting off as a web interface on top of Nessus. This actually
does make for an easier way to kick start your own security company.
Obviously to sit down and truly write your own IDS/IPS and Vulnerability
Scanner is a rather large task to do without any funding. However,
creating some web management off of something that already exists, and
then finding some VC who do not know any better than to hand you say 50
million, does put you in a place where you now have the money to attempt
to build your own real solution. There are all sorts of examples of this
in the Scanner/IDS space.

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9329
http://eEye.com/Blink - End-Point Vulnerability Prevention
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities 

Important Notice: This email is confidential, may be legally privileged,
and is for the intended recipient only. Access, disclosure, copying,
distribution, or reliance on any of it by anyone else is prohibited and
may be a criminal offense.  Please delete if obtained in error and email
confirmation to the sender. 

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------