Re: [more specific] Signature vs. Protocol Analysis

From: Martin Roesch (roesch@sourcefire.com)
Date: 03/14/02

Previous message: Stephen P. Berry: "Re: Possibility to cheat integrity checking?"
In reply to: Chad Schieken: "Re: [more specific] Signature vs. Protocol Analysis"
Next in thread: Stephen P. Berry: "Re: [more specific] Signature vs. Protocol Analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 14 Mar 2002 14:36:58 -0500
From: Martin Roesch <roesch@sourcefire.com>
To: Chad Schieken <cschieken@lucent.com>, <focus-ids@securityfocus.com>

On 3/14/02 9:57 AM, "Chad Schieken" <cschieken@lucent.com> wrote:

>
>
>> Well, yeah, but I've been saying this for years. :) How many rules did I
>> originally write for Snort? About 50. Why? Because I wanted to make
>> everyone write rules to fit their environment. Obviously that didn't work
>> out so well (Snort's got ~1400 rules these days)...
>
>
> This may be off-topic. But this is a common mistake, assuming people will
> "roll-their-own". I'm not arguing that this
> isn't a sound technical approach, but there aren't that many people who
> *can* do this. What's worse is that many companies don't even want to do
> this. Corporate America likes off-the-shelf software. Custom code is
> normally used when no other alternative is available. From a business
> perspective it doesn't make sense for many companies to invest in the
> competency required to do this.

I was young and naīve back then and Snort was a lot younger too. These days
we have a coordinated signature updating and scrubbing group with backing
databases of information about alerts and things of that nature. It's
become very clear to me over the past few years that the learning curve for
IDS is a steep one and people need a lot of help getting up to speed,
especially in enterprise environments. Insert corporate plug here. :)

-Marty

-- 
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch@sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

Previous message: Stephen P. Berry: "Re: Possibility to cheat integrity checking?"
In reply to: Chad Schieken: "Re: [more specific] Signature vs. Protocol Analysis"
Next in thread: Stephen P. Berry: "Re: [more specific] Signature vs. Protocol Analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: [Snort-sigs] Snort Signatures for LSD-PL.NET Exploit
... > own custom rules file: ... > the packet (a way of increasing the speed of Snort processing packets. ... Snort: Open Source Network IDS - http://www.snort.org ...
(Incidents)
Re: [Snort-2003-001] Buffer overflow in Snort RPC preprocessor
... Snort-based Enterprise Intrusion Detection Infrastructure ... Snort: Open Source Network IDS - http://www.snort.org ...
(Focus-IDS)
Re: Snort vs. Libids
... Snort does IP defragmentation, I wrote the code to do it. ... Snort: Open Source Network IDS - http://www.snort.org ...
(Focus-IDS)
Re: Performance testing
... > when I'm generating noise traffic with the Smartbits. ... > 100 TCP flows from 192.168.66.9-109 random port to ... Professional Snort Sensor and Management Console appliances ... Snort: Open Source Network IDS - http://www.snort.org ...
(Focus-IDS)
Re: OpenSource NIDS
... > want to combine a signature based NIDS with a NIDS with strict anomaly ... > model and Snort doesn't really suit, ... Snort: Open Source Network IDS - http://www.snort.org ...
(Focus-IDS)