OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Symantec IDS Experts????????????????????
From: Mark Teicher (mark.teicherNETWORKICE.COM)
Date: Tue Oct 17 2000 - 22:07:28 CDT

In the July 17 edition of InternetWeek on page 27, they have a pie chart of
Intrusion Detection market share.

Here was the breakdown:

Cisco: 28%
ISS: 27%
Axent: 19%
Intrusion.com: 10% (This is the old ODS company, combined with the Kane
security software suites)
Network ICE: 4%
Others: 12%

If you want to read the text of the article, it is at
http://www.internetwk.com/infrastructure/infra071700.htm

At 10:17 AM 10/18/00 +0900, Keiji Takeda wrote:
>Hello,
>
>Elliot Turner san wrote on Tue, 17 Oct 2000 18:23:00 -0500
> >
> >I did claim that Snort is based on ages-old technology. And I stand by this
> >claim. Various
> >reasons include:
>
> >From my experience, commercial IDSs are not always better than Snort or
> other
>open source IDSs(including my pakemon ;-).
>
>Even though it is for commercial, some current IDSs still have only
>ages-lod technology in your term.
>
>For instance, even the product that has the largest share in the market,
>has implemented the packet reconstruction function this year.
>
>My understanding is now the market is shifting toward second generation IDS
>products that do packet reassembly and state analysis or application layer
>analysis.
>
>As Elliot denoted current open source IDSs are based on the first
>generation IDS
>technology.
>However, even commercial IDSs barely entered in the second generation
>recently.
>
>About the speed of the evolution, Snort has more potential in my feeling.
>
> > - Snort is based on simple network-grep IDS technology. Network-grep can
> >be easily fooled
>
>That is true.
>This situation is same to some first generation IDS products.
>
> > - Snort is vulnerable to many evasion techniques that were described years
> >ago. Fragment reassembly
> > (only recently added, though the fragment-based evasion has been a
> >well-known attack for years)
> > was only recently added. In addition, the fragment reassembly system
> >doesn't allow one to specify
> > Windows/*NIX reassembly methods for individual hosts on a network. This
> >means that even with the
> > new fragment reassembly code, it's still vulnerable to fragment evasion
> >attacks.
> > - The Snort site claims that it doesn't even do TCP stream reassembly.
> >This is something that was available
> > in even the first-generation commercial IDS offerings quite a number of
> >years ago. Streams reassembly is
> > a basic feature that should be a part of any IDS. It reduces the
> >complexity of performing attack evasion
> > to the skill level of a BSD sockets programmer. If this has recently
> >changed, they should update their
> > site to reflect the fact.
>
>These also are true.
>However, most commercial IDS also implemented their reassemble code
>recently.
>
> >I hope this information is useful.
>
>I hope so too.
>
>Keiji Takeda ( http://www.sfc.keio.ac.jp/~keiji/ )