Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody?

[Martin Holste <mcholste () gmail com>]

@Marty
Your "Porsche" IDS still can't dynamically detect HTTP.  That makes it
not "the best."

Razorback is not yet a viable platform and does not appear to be
anywhere near release candidate.  I consider it vaporware until I see
otherwise.  I've read through the source code and am unimpressed thus
far.  Ruminate IDS, using Vortex IDS, solves the same problem in about
1000 lines of Perl and is extremely effective in the hands of
experienced analysts.  Your Razorback problem is simple: you're using
compiled code to do the jobs that scripts should be doing, because
they can implement the thousands of already-written libraries that do
what you're trying to do from scratch.  By all means, please prove me
wrong.

@Joel/Jason/Marty
We were a paying SF customer for years and are no longer.  The reason
is simple: the rules were not detecting client-side attacks (or many
server-side, for that matter), and SO rules were completely unhelpful
(when they weren't segfaulting).  Stability is indeed important as
Joel has pointed out, and SO rules drastically decrease stability.
(Unless, of course, you're running an SF appliance, in which case all
of this is easy... hm...).  More important than that, though, is that
the opacity of SO rules means my analysts have to guess.  Analysts
should not have to guess at what a rule was designed to look for.
That is why closed-source is ineffective.

Further, stop arguing that your rules are more "polished" or something
than ET.  Many spew a ridiculous amount of false positives.  Just look
at your ActiveX rules and tell me they are something to be proud of.
What modern malware refers to the CLSID of the ActiveX object it's
going to exploit in clear, non-obfuscated Javascript?  Very, very few.
 Those rules are useless, as were the majority we saw come through to
provide "coverage" for CVE's.  That's why we dropped you guys.

And if you think I'm wrong about this, remember that the customer is
always right.

RE:Immunet: Way, way out of scope here.  But while it's been
shamelessly plugged to death on an IDS list, I will point out that for
my large org and many other large orgs, client-side anything is not an
option because we don't have the ability to install things on the
assets we're responsible for.  You will find a similar story in a lot
of places.  But congratulations on your expanding market which
continues to divert your attention from your company's core
competency.

Lastly, thank you for at least participating in the discussion.  I
doubt Symantec, Cisco, etc. would allocate time for this, and I do
appreciate having a real dialogue with people that matter in a
company.  I hope that we can do business again someday.

------------------------------------------------------------------------------
Colocation vs. Managed Hosting
A question and answer guide to determining the best fit
for your organization - today and in the future.
http://p.sf.net/sfu/internap-sfd2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users