IDS mailing list archives
Re: IDS vs. IPS deployment feedback
From: Stefano Zanero <zanero () elet polimi it>
Date: Thu, 13 Apr 2006 20:06:48 +0200
Andrew Plato wrote:
Furthermore, Snort rules are developed by volunteers (or Sourcefire). As such, SNORT is usually behind the curve on new signatures.
I suppose you have actual figures for this ? Because I'd have to claim it FUD otherwise. Compare with the response time of commercial and open source anti viruses, and you'll see that this claim is at best unproven.
ISS, for example, does their own independent security research an has signatures to protect against things that Snort people don't even know about.
And I suppose people who work for Sourcefire, or people who contribute rules to the Snort signatures base, don't do vulnerability research ? I know that many researchers develop signatures along with their advisory. We've seen that. Are you implying that ISS knows about zero-day vulnerabilities it hasn't alerted vendors to ? I think that ISS always claimed to be for responsible disclosures of their findings. Has this changed, recently ?
vendors buy exploits from the hacker market - again giving them access to vulnerabilities long before it hits the public
Same as above applies. Buying vulnerabilities and exploits and not publishing them is highly unethical. I wouldn't buy anything from a vendor who claimed to do that. Besides, "good" zero days stay in the closet for a long time. They get sold when they already leaked to the outer circles of the scene. As far as the "who has the rules first", in fact, I remember Snort implementing a way to import the so-advanced, bleeding-edge ISS rules... oh wait, or was it the other way round ? :) Stefano ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IDS vs. IPS deployment feedback, (continued)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- Re: IDS vs. IPS deployment feedback Eric Hines (Apr 13)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 10)
- Re: IDS vs. IPS deployment feedback Paul Schmehl (Apr 11)
- Re: IDS vs. IPS deployment feedback Aaron (Apr 15)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 17)
- Re: IDS vs. IPS deployment feedback Thomas Choi (Apr 18)
- Re: IDS vs. IPS deployment feedback Aaron (Apr 18)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 15)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 11)
- RE: IDS vs. IPS deployment feedback Mike Barkett (Apr 13)
- Re: IDS vs. IPS deployment feedback Jason (Apr 13)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 11)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 11)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 13)
- RE: IDS vs. IPS deployment feedback Kyle Quest (Apr 13)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 13)
- Re: IDS vs. IPS deployment feedback Paul Schmehl (Apr 15)