RE: ids inquisition
From: robert_david_graham (robert_david_graham@yahoo.com)Date: 07/28/01
- Previous message: robert_david_graham: "RE: ids inquisition"
- In reply to: Randy Taylor: "Re: ids inquisition"
- Next in thread: Martin Roesch: "Re: ids inquisition"
- Next in thread: Jason Lewis: "RE: ids inquisition"
- Reply: Martin Roesch: "Re: ids inquisition"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "robert_david_graham" <robert_david_graham@yahoo.com> To: "'Randy Taylor'" <gnu@charm.net>, <focus-ids@securityfocus.com> Subject: RE: ids inquisition Date: Fri, 27 Jul 2001 23:42:14 -0400 Message-ID: <000501c11717$4b1c7f50$9aac86d1@computer11111111111111111111111111111111>
Randy took offense at my post. I feel I ought to respond, by I suspect most
people won't care about my comments below. I just want to be "on record"
about some things.
>And welcome to another episode of "Vendor Bashing" cleverly disguised as
>a backhanded compliment to Marty.
1. Some IDSs suck.
2. Snort isn't one of them.
3. I point out advantages that BlackICE has over Snort, I therefore feel
compelled to point out that I'm NOT saying that Snort sucks
4. I don't think it is appropriate to point out which products truly suck
(though now that NAI has officially discontinued Cybercop Monitor, we can
safely put them on the list).
5. It is the open-source community that deserves the credit for Snort,
though Marty's a fast/nimble/devious coder and deserves some credit for
being a driving force.
>Writing Sidestep musT have been really easy.
No. It contains complete clients for all the protocols it uses; it is not a
simple collection of exploits. It was written from scratch. This is tough.
>And opened up a class of attacks that hadn't been widely seen before. I'd
>expect that from a blackhat, but not from a company CTO. Smelled like
hubris
>and dangerous art for art's sake...it was a really bad smell.
Of course I am guilty of "hubris" -- I don't think you'll find anyone who
disagrees with you :-)
The goal of Sidestep was to prove that these things work in the real world,
it isn't a useful exploit tool. The "ethics" it tried to pursue was concrete
examples that provably worked, rather than vague marketing claims
(vague/misleading marketing DOES smell bad).
>My God, you have gone beyond the pale. Snort is good code, Robert - I
didn't
>see a line of BASIC in it. The RPC decode algorithm in 1.8 is very nicely
done.
I chose the BASIC vs. C analogy simply because Snort "interprets" rules in a
text file, BlackICE always provided new signatures in "compiled" binaries.
If I had been a language bigot and realized that some people don't like
BASIC (I think it is a fine language), I would have chosen PERL.
>Wow, do you have any idea how many Snort users you just dumped on?
Some people find insults were none are intended.
There isn't enough literature on the subject of "protocol analysis and how
it relates to IDS". Saying that people don't understand "protocol analysis"
isn't an insult, it is just the state of the industry. Half the IDS papers
on SecurityFocus/SecurityPortal/et al. make statements about all IDS that
really only refer to Snort-like IDS (both good and bad). Heck, a lot of
people (e.g. me) make statements about all IDS that really only refer to
NETWORK IDS, not host IDS.
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
- Previous message: robert_david_graham: "RE: ids inquisition"
- In reply to: Randy Taylor: "Re: ids inquisition"
- Next in thread: Martin Roesch: "Re: ids inquisition"
- Next in thread: Jason Lewis: "RE: ids inquisition"
- Reply: Martin Roesch: "Re: ids inquisition"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
