RE: FW: Trons 7.0 (was Re: RealSecure IDS 6.5)

From: Samuel Cure (scure@redbulltech.com)
Date: 06/21/02 

From: "Samuel Cure" <scure@redbulltech.com>
To: "'samantha myers'" <securitegrl00@yahoo.com>, <robert_david_graham@yahoo.com>, <roesch@sourcefire.com>, <SEdwards@toplayer.com>, <eng@essasia.net>, <dicarlore@hotmail.com>, <focus-ids@securityfocus.com>
Date: Fri, 21 Jun 2002 14:26:48 -0700

Cisco, unlike RealSecure 7.0, cannot import Snort rules.

Cisco also lacks the ability to do fusion-like features which brings
together attack and vulnerability information to conclude if the attack was
successful and more importantly, remove false alarms where the attack fails.

Cisco does not provide server and desktop IDS. With more encrypted traffic
(like Web based SSL) and switched environments, IDS is moving to the host
with many of my customers.

With preliminary testing, it appears that RealSecure 7.0 is faster than
Cisco IDS. Has anyone else done any in-depth performance testing?

As fusion like features become more important, the Cisco Scanner based on
feedback from private emails from this IDS list, does not appear to be kept
upto date and in-sync with their IDS capability, leaving a big gap. Fusion
will not work if Cisco can not correlate vulnerability together with
attacks. Is Cisco going to fix this? 

----
Samuel J. Cure

-----Original Message-----
From: samantha myers [mailto:securitegrl00@yahoo.com]
Sent: Wednesday, June 19, 2002 8:48 AM
To: robert_david_graham@yahoo.com; roesch@sourcefire.com;
SEdwards@toplayer.com; eng@essasia.net; dicarlore@hotmail.com;
focus-ids@securityfocus.com
Subject: Re: FW: Trons 7.0 (was Re: RealSecure IDS 6.5)

Does anyone know is Cisco Secure IDS provides a
function similiar to TRONS which allows users to
import Snort rules?

Thanks!

> From: Robert Graham <robert_david_graham@yahoo.com>
> Date: Mon, 17 Jun 2002 10:23:14 -0700 (PDT)
> To: Martin Roesch <roesch@sourcefire.com>,
> SEdwards@toplayer.com,
> eng@essasia.net, dicarlore@hotmail.com,
> focus-ids@securityfocus.com
> Subject: Trons 7.0 (was Re: RealSecure IDS 6.5)
>
> --- Martin Roesch <roesch@sourcefire.com> wrote:
> > It should be noted that, last I heard, the TRONS
> engine doesn't have
> > anything like the Snort preprocessor stack.  That
> being the case, it doesn't
> > have anything approaching the stateful inspection,
> stream reassembly, ip
> > defragmentation, application protocol
> normalization, etc capabilities of
> > more recent Snort releases.  In other words, if
> the information I received a
> > few months ago is still accurate, the TRONS engine
> is equivalent to Snort in
> > the 1.5-1.6 era (late 1999 to mid 2000).
> >
> > It's capable of running Snort rules, but is
> subject to trivial evasion
> > techniques and essentially a stateless Snort rules
> processor, so I wouldn't
> > sell it as a "Snort replacement" by any means.
>
> In BlackICE, Trons was a wholly independent module;
> packets that got sniffed
> off the wire were fed into two independent engines
> (Trons and "PAM"); then
> events were combined at the other end back into a
> single stream.
>
> RealSecure 7 does a bit more integration between the
> two modules, using the
> core engine (called PAM - Protocol Analysis Module)
> to "pre-process" for
> Trons.
> PAM does things like reassembling IP fragments,
> uricontent, RPC, and so
> forth.
>
> The BIG thing missing is TCP stream-reassembly. I've
> been waiting to figure
> out
> where Snort is going with "flows". PAM is inherently
> "flow" based; which
> makes
> it hard to reassemble for the older Snort, but it is
> easy to integrate with
> the
> yet-unreleased flow-based Snort.
>
> In any case, the Trons module will never be a Snort
> replacement. It is there
> for customers to add their own rules, as well as
> rules created by the entire
> community. It is also there to allow us to better
> participate in that
> community; e.g. the latest X-Force advisory
> contained a Trons/Snort rule
> (though it had a minor bug with the SID, at least
> it's a start).
>
> Robert Graham (developer of Trons, as well as PAM)
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
>
>
> ------ End of Forwarded Message
>

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

Relevant Pages

  • Re: FW: Trons 7.0 (was Re: RealSecure IDS 6.5)
    ... >> It should be noted that, last I heard, the TRONS ... >> anything like the Snort preprocessor stack. ... >> It's capable of running Snort rules, ... > Do You Yahoo!? ...
    (Focus-IDS)
  • RE: IDS evaluation
    ... NIDS and centralized management console. ... Prelude is compatible with snort so you can also mix sensors or use only ... >2.Cisco Secure IDS ... Cisco Secure IDS Policy Manager! ...
    (Focus-IDS)
  • RE: Cisco vs. Snort
    ... Snort and another product bought from your prefered ... Now with regards to the Cisco IDS, I will only say that there are better ... If you want an answer to the Cisco Vs Snort question I would say Snort ... Symantec is the Diamond sponsor. ...
    (Security-Basics)
  • Re: Snort and Cisco Pix
    ... Subject: Snort and Cisco Pix ... if someone spoofs an attack from a partner or client you suddenly firewall ...
    (Focus-IDS)
  • RE: Snort and Cisco Pix
    ... Subject: Snort and Cisco Pix ... > Subject: Snort and Cisco Pix ... > We were looking at the new Cisco IDS card that goes into ...
    (Focus-IDS)
Quantcast