Snort mailing list archives
RE:"trons" Rules
From: counter.spy () gmx de
Date: Fri, 1 Mar 2002 19:29:11 +0100 (MET)
Hey all, having read the information about TRON on Robert Graham's website I decided to trigger a little discussion on protocol analysis - an issue that has been on my mind for some time now: Robert Graham is known as a protocol geek and he prays his protocol analysis. Alright, as far as I know snort does perform some kind of protocol analysis. In his document 0103cansec.ppt (to be found in the "slides" directory on his site) he compares "snortlike" pattern match against snort protocol analysis - all very lucid, bene. Now can somebody, please explain the difference between snort protocol analysis and BlackICE protocol analysis (might be somehow difficult, as the BlackICE product, now being integrated into RealSecure, was, still is and will forever be closed source). I know that BlackICE detected all the NSS Group attacks, but I also know that snort made an excellent job as well, despite the fact, that they had a rather outdated version. Any comments that are based on technical facts are greatly appreciated, because this informatin could be of great help for my diploma thesis :-) In addition, here are some snips of the TRON page (commented by me ;-) ) "....TRONS was reverse engineered from Snort signatures.." [snip] big deal, its opensource! :-) "...I didn't look at Snort source more from a politeness issue rather than anything else..." [snip] Oh..., wow! ;-) ...How does BlackICE compare to Snort? I prefer protocol-analysis for IDS signatures over pattern-match, of course, which is why I chose that technology instead of pattern-match. The thing to remember is that it is a different techique that gives you different results. We can argue which results most people would prefer, but it would be foolish to say that one technique is always better than another. In any case, this is the wrong paper for such a discussion. [snip] well... so, lets discuss BlackICE protocol-analysis versus snort protocol-analysis here on this list. I think this would be a proper discussion, comparing things that are compareable ;-) In order to anticipate any complaints or misunderstandings: This is not criticism of Robert Grahams work or Robert Graham himself. In the opposite, I have great respect for this man and his work and very much appreciate that he is always sharing his knowledge with the public. I just would like to heat some discussion ;-) Greetings, D. Liesen -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "trons" Rules dr . kaos (Feb 28)
- RE: "trons" Rules Jason Lewis (Feb 28)
- <Possible follow-ups>
- RE: "trons" Rules Lampe, John W. (Mar 01)
- RE: "trons" Rules Jeff Dell (Mar 01)
- Re: "trons" Rules Jeff Nathan (Mar 02)
- Re: "trons" Rules dr . kaos (Mar 01)
- RE: "trons" Rules Jeff Dell (Mar 01)
- RE:"trons" Rules counter . spy (Mar 01)
- RE:"trons" Rules counter . spy (Mar 02)
- Re: "trons" Rules Fyodor (Mar 02)
- RE:"trons" Rules counter . spy (Mar 02)
- RE: "trons" Rules Kohlenberg, Toby (Mar 02)
- Re: "trons" Rules Fyodor (Mar 03)