Snort mailing list archives
Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody?
From: Martin Holste <mcholste () gmail com>
Date: Sun, 20 Mar 2011 17:52:11 -0500
@Marty Your "Porsche" IDS still can't dynamically detect HTTP. That makes it not "the best." Razorback is not yet a viable platform and does not appear to be anywhere near release candidate. I consider it vaporware until I see otherwise. I've read through the source code and am unimpressed thus far. Ruminate IDS, using Vortex IDS, solves the same problem in about 1000 lines of Perl and is extremely effective in the hands of experienced analysts. Your Razorback problem is simple: you're using compiled code to do the jobs that scripts should be doing, because they can implement the thousands of already-written libraries that do what you're trying to do from scratch. By all means, please prove me wrong. @Joel/Jason/Marty We were a paying SF customer for years and are no longer. The reason is simple: the rules were not detecting client-side attacks (or many server-side, for that matter), and SO rules were completely unhelpful (when they weren't segfaulting). Stability is indeed important as Joel has pointed out, and SO rules drastically decrease stability. (Unless, of course, you're running an SF appliance, in which case all of this is easy... hm...). More important than that, though, is that the opacity of SO rules means my analysts have to guess. Analysts should not have to guess at what a rule was designed to look for. That is why closed-source is ineffective. Further, stop arguing that your rules are more "polished" or something than ET. Many spew a ridiculous amount of false positives. Just look at your ActiveX rules and tell me they are something to be proud of. What modern malware refers to the CLSID of the ActiveX object it's going to exploit in clear, non-obfuscated Javascript? Very, very few. Those rules are useless, as were the majority we saw come through to provide "coverage" for CVE's. That's why we dropped you guys. And if you think I'm wrong about this, remember that the customer is always right. RE:Immunet: Way, way out of scope here. But while it's been shamelessly plugged to death on an IDS list, I will point out that for my large org and many other large orgs, client-side anything is not an option because we don't have the ability to install things on the assets we're responsible for. You will find a similar story in a lot of places. But congratulations on your expanding market which continues to divert your attention from your company's core competency. Lastly, thank you for at least participating in the discussion. I doubt Symantec, Cisco, etc. would allocate time for this, and I do appreciate having a real dialogue with people that matter in a company. I hope that we can do business again someday. ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody?, (continued)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Joel Esler (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 18)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Jason Brvenik (Mar 19)
- Message not available
- Message not available
- Message not available
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Martin Holste (Mar 20)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Martin Roesch (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? evilghost () packetmail net (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Martin Roesch (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Martin Roesch (Mar 19)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Randal T. Rioux (Mar 20)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matt Olney (Mar 21)
- Re: [Emerging-Sigs] GPL rules - who maintains them? Nobody? Matthew Jonkman (Mar 21)