IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to choose an IDS/FW MSS provider

From: Dave Aitel <dave () immunitysec com>
Date: Wed, 16 Mar 2005 16:48:59 -0500
Marty said:
3) Snort has had 2 remote exploits (buffer overflow and integer overflow leading to heap overflow on certain platforms) and a 2-3 DoSes due to protocol handler mistakes in 6.5 years. ISS has had at least that many over the years and a resultant worm to boot. Did being closed really help them all that much? I think that developing in the open forces us to be a little more careful than we might otherwise be, but I think that over time being open leads to a more secure codebase due to the exposure to the "elements" that it entails.
Not to mention Snort can be installed on a Linux system with GRSecurity protecting it, offering a much higher level of confidence than a appliance, at the cost of having someone who knows how to install a kernel patch. I've always wondered why IDS vendors don't do this. I'm sure there's a really good reason. 

-dave



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: