NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-IDS> 2000-q4

Subject: Commercial vs. open source
From: rob (robert_david_grahamYAHOO.COM)
Date: Thu Oct 19 2000 - 22:49:12 CDT

Next message: Max Vision: "Re: Rapid response"
Previous message: Robert Graham: "Rapid response"
In reply to: Fyodor: "Re: Symantec IDS Experts????????????????????"
Next in thread: Ron Gula: "Re: Symantec IDS Experts????????????????????"
Reply: rob: "Commercial vs. open source"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----Original Message-----
>From: Fyodor
>>> - Snort is vulnerable to many evasion techniques that were described
years
>>>ago. Fragment reassembly
>>> (only recently added, though the fragment-based evasion has been a
>>>well-known attack for years)
>
>yeah, but snort is barelly older than two years as well. it takes time to
develop code, right :)

I disagree with this attitude. People believe in the magic "potential" of
open source. Yet BlackICE Sentry is the same age as Snort (the first line of
BlackICE code was written in June, 1998). It has had IP reassembly and TCP
stream reassembly/reordering since v1.0. Leaving fragrouter aside for the
momment, I can likewise attack a system using SunRPC/SNMP/HTTP/FTP/DNS using
the exactly the signatures Snort looks for, yet format the packets in such a
way that Snort cannot see them. Snort won't utter a peep, whereas BlackICE
alarms as expected.

I know that some customers get burned by vendors who spend millions building
a brand rather than investing in their technology, but there are commercial
vendors that care about building quality products and supporting their
customers/partners. Sure, open-source Snort is better than the
brand-builders, but you can't lump all commercial vendors together that way.

BTW, I'm not trying to dis Snort here. Some people (e.g. Fyodor) simply
won't trust any source they cannot examine. Snort is a good product, and I
frequently recommend it to customers where I see it meet a particular need.
I'm just trying to point out that the two products left the starting gate at
the same time, and by my own personal values (catching the serious
adversary), Snort is well behind in the race.

Regards,
Robert Graham
CTO/Network ICE

_________________________________________________________
Do You Yahoo!?
Get your free yahoo.com address at http://mail.yahoo.com

Next message: Max Vision: "Re: Rapid response"
Previous message: Robert Graham: "Rapid response"
In reply to: Fyodor: "Re: Symantec IDS Experts????????????????????"
Next in thread: Ron Gula: "Re: Symantec IDS Experts????????????????????"
Reply: rob: "Commercial vs. open source"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]