Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk

• Previous message: Ron Gula: "RE: TippingPoint Releases Open Source Code for First Intrusion Pr evention Test Tool, Tomahawk"
• In reply to: kquest_at_toplayer.com: "RE: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
• Next in thread: Greg Shipley: "Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
• Reply: Greg Shipley: "Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
• Maybe reply: Don Parker: "Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 2 Nov 2004 20:21:50 -0500
To: kquest@toplayer.com

I'm the original author of Snort as well as the founder of Sourcefire
(yes, it is called Sourcefire, I also came up with the name). What
TippingPoint has released is basically tcpreplay with some connection
testing functionality from what I can see. It's good to see them
contributing to the open source community! Sourcefire makes
Snort-based sensor and management infrastructure as well as cool
technology like RNA, IDS is a component of what we do but not the whole
sum of our offering.

Sourcefire continues to innovate in the IDS arena and contribute those
innovations back to the open source security community. If you look at
the development history of Snort over the past ~4 years since
Sourcefire was founded you will see that we are dedicated to keeping
the open source community on the cutting edge of Snort development.
Recent examples include our new portscan detector and target-based
defragmentation system that were developed internally at Sourcefire
with Sourcefire dollars and then freely contributed back to the OSS
community.

As far as pcaps are concerned, pcaps in a vacuum don't really add a
whole lot beyond just testing basic detection capabilities. You need
to have real high grade network testing equipment like the stuff
Spirent makes so that you can develop normalized, repeatable test
environments in which to test detection capabilities. Measuring
latency, throughput, etc is also best done in an environment where you
can setup repeatable test environments or at least where you can setup
repeatable baseline environments to transmit your pcaps over the top
of. Tcpreplay doesn't meet this requirement particularly well all by
itself, nor will the TippingPoint software.

Greg Shipley and the Neohapsis guys can comment on this stuff better
than I, but one thing that I've learned from building Sourcefire for
the past ~4 years is that testing gigabit IDS/IPS systems requires
considerable expertise and infrastructure if you want to do anything
more than just test basic detection capability.

      -Marty

On Nov 2, 2004, at 10:40 AM, kquest@toplayer.com wrote:

> I'm aware that SourceFire (or whatever it's called)
> is backing up Snort; however, that's not how Snort started
> (snort was already there when SourceFile was created,
> which is similar to what happened with zebra).
> I'm sorry if my history of snort is not correct,
> but I thought that's how it was. It's totally opposite
> to what we have there, where we have.
>
> There's also a difference between what's going on
> with Snort and this tool. SourceFire makes an IDS
> tool based on Snort where TippingPoint makes an IPS
> device and this tool is suppose to test IPSes.
>
> I do have have pcaps to contribute, but I'm definitely
> not going to give them on a silver platter to TippingPoint.
> We need a next generation IDS/IPS/whatever testing
> tool that goes beyond simple pcap replay. We need something
> that can take a pcap... then fully parse it (not just
> data link,network, and transport layers) and then
> have application intelligence to do something actually
> useful with it (e.g., perform application fragmentation
> for RPC, etc). The list goes on...
>
> ------------------------------------------------------------
>
> - Kyle, Don't forget the 'snort' folks have just as much of a
> vendor presence as TippingPoint or any other IDS vendor. TippingPoint
> _may_ be trying to encourage use of their tool for IDS evolution as a
> whole much like snort has yet still has hopes they will get some
> benefit from their free tool.
>
> Now do you have any pcaps to contribute to snort or the rest of
> us packetninjas?
>
> -Dan
>
>
>
> -----------------------------------------------------------------------
> ---
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> -----------------------------------------------------------------------
> ---
>
>

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch@sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

• Previous message: Ron Gula: "RE: TippingPoint Releases Open Source Code for First Intrusion Pr evention Test Tool, Tomahawk"
• In reply to: kquest_at_toplayer.com: "RE: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
• Next in thread: Greg Shipley: "Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
• Reply: Greg Shipley: "Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
• Maybe reply: Don Parker: "Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: IDS is dead, etc ... is there any way to make the quality of data coming out of the IDS ... I'm working on just such a program/product called RNA (Real-time Network ... on the Sourcefire web site. ... > to see an snort Ethereal plugin as I regularly take a raw packet dump of our ... (Focus-IDS) RE: [Snort-devel] RFC: Forking Snort ... I am very happy with Snort, it's sigs, plugins, etc.. ... The number of core developers on the Snort ... contributions to the codebase while not being insignificant are not what ... > wildly successfully open source project and Sourcefire (a growing, ... (Focus-IDS) Re: [Snort-users] Re: RFC: Forking Snort ... the core developers, and the input and testing of the community at large. ... anything else like snort. ... Sourcefire is in the market enjoying thousands of installs ... reason snort exists and why it's the best IDS for the knowledgeable admin. ... (Focus-IDS) Re: IDS vs. IPS deployment feedback ... It is not accurate to state that the IPS ... Those two IPS technologies are NFR and Snort. ... signatures for the same vulnerability, ... Snort rules are developed by volunteers (or Sourcefire). ... (Focus-IDS) Re: [Snort-devel] Re: RFC: Forking Snort ... > back out to the community at large. ... Combine that with my commitment to keeping Snort open source ... >>> own success. ... >>> successfully open source project and Sourcefire (a growing, ... (Focus-IDS)