Re: [more specific] Signature vs. Protocol Analysis
From: Martin Roesch (roesch@sourcefire.com)Date: 03/11/02
- Previous message: Al Huger - Mail Account: "RE: Alarming (was protocol analysis)"
- In reply to: some chica: "RE: [more specific] Signature vs. Protocol Analysis"
- Next in thread: Stephen P. Berry: "Re: [more specific] Signature vs. Protocol Analysis"
- Reply: Stephen P. Berry: "Re: [more specific] Signature vs. Protocol Analysis"
- Reply: Stephen P. Berry: "Re: [more specific] Signature vs. Protocol Analysis"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 10 Mar 2002 23:45:40 -0500 From: Martin Roesch <roesch@sourcefire.com> To: some chica <gotonesomewhere@yahoo.com>, IDS Expect <robertgoldman2000@yahoo.com>, <focus-ids@securityfocus.com>
> These are a few reasons why I put so much weight on
> pattern-matching IDSs, but more for our purposes (and
> yes, this in an environmental/departmental issue),
> Dragon. Without going into a thesis on it, it really
> seems the guys and gals at Enterasys just ?get it.?
> There are libraries of signatures (SQL is one example.
> Crypto and Steganography libraries are other quick
> examples) looking for things which are important to us
> that other IDSs aren?t alerting us to (and that
> includes our Snort sensors, which baffles me since
> there is supposed to be an entire community of people
> developing Snort signatures, not just some people
> locked in a closet at some vendor.)
Best way to get increased coverage for things that interest you specifically
in an open source project: let us know or contribute directly.
Worst way to accomplish the same: do nothing and complain when that coverage
doesn't show up.
The flexibility and power are all there, there's just not an out of the box
sig for you to use. This shouldn't be slowing you down though, because
there are complete references to writing Snort rules available both with
Snort (in PDF format) and on-line at www.snort.org. Additionally, we have
an eager group of people on the snort-sigs mailing list that I'm sure would
be willing to help you out. The community works best if you actually use
the community.
Can you be a little more specific as to what you're looking for? There's an
awful good chance that someone will code it or write the sig if you can
define a need, and we'll even do it (*and* provide excellent support) for
free.
-Marty
-- Martin Roesch - Founder/CEO Sourcefire Inc. - (410) 552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch@sourcefire.com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org
- Previous message: Al Huger - Mail Account: "RE: Alarming (was protocol analysis)"
- In reply to: some chica: "RE: [more specific] Signature vs. Protocol Analysis"
- Next in thread: Stephen P. Berry: "Re: [more specific] Signature vs. Protocol Analysis"
- Reply: Stephen P. Berry: "Re: [more specific] Signature vs. Protocol Analysis"
- Reply: Stephen P. Berry: "Re: [more specific] Signature vs. Protocol Analysis"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
