IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to choose an IDS/FW MSS provider

From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 17 Mar 2005 17:24:48 -0500
On Mar 16, 2005, at 4:25 PM, David W. Goodrum wrote:
Actually Marty, I think the reason Snort is so popular is because it's freely available, not becuase your signatures are open. I can tell you that NFR does not have nearly the userbase that Snort has, and yet, our signatures are openly readable... The difference? NFR is not a free product. Back in pre-2000, when NFR had the research and development version of the product available for free, we had a ton of downloads of the free product. It had nothing to do with the open signature language we use... it was simply the fact that it was free.
I don't think anyone would disagree that being free is one of the reasons for Snort's popularity but it's also popular because it's a good technology. One of the reasons that people stick with Snort once they get past the initial "let's put some free stuff on the network and see how it works" phase is because it's predictable and transparent and it works.
I once had the VP of Engineering of a large network security company try to talk me out of starting Sourcefire because "the only reason people use Snort is because it's free, nobody will pay for it". I didn't agree with that concept back then and I've since proven that being free is just one reason people use Snort initially, the really interesting thing is that they keep using it even when they have budget and a mandate to deploy a detection technology. I can only imagine that there's more to it than the low initial cost of entry, we all know what happens to costs once you've got a 50 of these things cranking out events.
I agree with your comments about writing good signatures. We released a whitepaper a couple of years back in an effort to teach people how to write good signatures using the NFR product, and even though we've had our signatures openly readable since day 1, we've never had a remote exploit. (well okay, we didn't actually have signatures on day 1, but you know what i mean. ;) )
All code has bugs. Just because there aren't any bugtraq entries for product XYZ doesn't mean that it doesn't have (or never had) any security issues. Operating in the open forces you to adopt a pragmatic stance with regards to recognizing and dealing with security issues in your code and that's a mode that I don't mind operating in and I believe that the user community by and large appreciates it. 


--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend. - http://www.sourcefire.com
Snort: Open Source Intrusion Detection and Prevention - http://www.snort.org 


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. 
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: