Snort was one of the first security tools I ever used. When I was working in a small computer lab years ago, I set up a Snort sensor just to see what was there. And there was a lot in that particular environment. I’ve used it many times since then and I found out at RSA that the first Sourcefire implementation I performed is still in place, basically unchanged since I left. This is why I always take the opportunity to talk to Marty Roesch at Sourcefire if I can at RSAC. This time I got a chance to talk to him about the omnipresent APT (he prefer’s using the term APA, coined by @nselby and others), the security existential crisis, the work Sourcefire is doing with Immunet, the Cloud and Sourcefire’s virtual appliances. All that noise you hear in the background is the Securosis Recovery Breakfast.
The second in a series of discussions I participated in with Richard “IDS is Dead!” Stiennon, Mike Murray and Amrit Williams is now available for your viewing pleasure. Richard has been following the firewall and IDS market for a long time now and has a much deeper understanding of it than I ever will. However his experience is from the market perspective, not the real world where the firewalls and IDSs are actually being installed and used. Not that I’m configuring and monitoring either technology on a regular basis myself, but I do deal with the people who are very often as a PCI assessor. So you can imagine we have some differing opinions of where things are going and what’s really being used in the enterprise. I really need to learn to look directly at the camera.
Brian Smith, Chief Architect of TippingPoint takes a few minutes to talk about the different priorities of an IDS versus an IPS, and about the possible convergence of markets like firewall and NAC.
I use Gmail as my central email repository and usually the spam filters they use are pretty good. But lately they’ve been a little overly aggressive, so I have to comb through to make sure no legitimate email is being caught accidentally. There’s not a lot that’s misidentified, but there’s enough to make it worth the few minutes a day it takes to double-check the spam folder.
I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email. There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk. But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”. It’s honest and straight forward even if it is just an attempt to rip off people around the globe.
On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days. It’s been interesting watching the number of spams spike and drop. At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day. Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see. I guess being subscribed to ten or so mailing lists had to have some benefit.
Mine is just a single data point, compared to the millions some anti-spam vendors get to see. But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like F-secure report. Anyone else out there keep track of the spam they receive for fun?
Technorati Tags: security, spam, McKeay
This makes sense in a twisted way: scammers are using charities to test stolen credit cards. As the post points out, they’re using charities because most banks aren’t going to flag a donation, since it’s something most people only do on special occasions and it’s hard to create a behavioral monitoring program that could catch this as being an unusual activity with any accuracy.
Sourcefire has announced that the company will be expanding into a lot of new security specialties beyond Intrusion Detection and Intrusion Prevention. I think it’s a very good move for them and builds on their existing strengths, but only time will tell if it’s going to be a successful strategy. Over at SearchSecurity Nick Selby has written an interesting analysis of the Sourcefire move. I understand it a lot better having read the article.
Sourcefire’s strength has always been in analyzing network traffic, since that’s what IDS boils down to. They got a lot more in depth with their software when they introduced RNA. Adding anomaly detection, vulnerability assessment (passive or active, I wonder) and network access control is just extending that expertise even further. And, as the article notes, they’ve already got a foothold any many, many networks, which isn’t going to hurt them in the least.
Technorati Tags: security, snort, sourcefire
|Slowly but surely I’m getting the video from RSA edited and posted. I talked to Ron Gula a number of times before, but this was the first time I’d ever gotten to meet him face to face. Given that Ron was the creator of the Dragon IDS, one of the first commercial IDS’s I’d ever used, I was more than a little bashful when we talked off camera. Now adays he’s much better known as the CTO and CEO of Tenable Network Security and having one of the most technical security blogs on the Internet (I think Richard Bejtlich beats him, but only by a hair).
By the way, as an explanation for one of the comments I made during the interview, Larry Ellison from Oracle shunned RSA and sent one of his underlings in to give his presentation at the last moment. What a good way to show your support for the security community.
Technorati Tags: security, mckeay, Ron Gula, Tenable Network Security, Tenable
Rich McIver sent me an email notifying me that there is a new article on Intrusion Detection
over at the IT Security site. I started reading the article and liked it, until I got to the part where it defines how an Intrusion Detect System works; at this point, the artice seemed to be less a definition of IDS and more a definition of Network Admissions Control, without the blocking technology. The first point of the definition is clearly a traditional IDS function, but the other eleven points on the list have more in common with NAC technology than they do with what I think of when I hear IDS or IPS. Rich, please tell me how I’m misreading this.
I’m all for the convergence of technologies, otherwise I would never have become the Product Evangelist for Cobia. And I can’t think of too many technologies that are a more natural fit for convergence than IDS and NAC. Convergence is the coming wave in technology, there are too many different tools that each have seperate interfaces, individual management consoles and just don’t communicate what they know with other, complimentary tools. Having all of the different tools on your network tied together to provide the most comprehensive view of the network makes sense on so many levels that it has to happen, and any company that doesn’t already realize this probably won’t be at RSA in a couple of years. I think the traditional IDS will probably start to fade from the market place in the near future, either morphing into or being subsumed by NAC.
Maybe I’m missing the point of this article. I think it may be an attempt to redefine the definition of Intrusion Detection and broaden it to include more than just traditional IDS systems. Otherwise I don’t see how a product like Nmap could have made it onto the list. But if you’re going to try to redefine an industry standard term, than argue for the new definition, don’t try to pass it off as a basic explanation of the original term.
Technorati Tags: security, Martin McKeay, Intrusion Detection
Ya’ know, if I still played with Snort as much as I used too, I’d be all over this. Not that I’d be able to turn in any bugs, but I’d still have fun playing with the new version. If you are an avid Snort user and can find bugs, you might get some free stuff. Let me know what it is if you make it.
Snort 2.7 beta 1 is now available for download and testing!
* Target-based stream reassembly, including handling of TCP data
overlaps and anomalous TCP header flags on a per-destination basis. 11
different target-based policies are supported. See README.stream5 for
specific configuration options for operating system targets.
* UDP session tracking
* Option to emulate Stream4 flushing behaviour
* Stream5 replaces BOTH Stream4 & Flow — should disable both of
these when Stream5 is enabled.
BE A BETA TESTER:
Help us make Snort a better technology and get some free Snort
stuff! Since we are all looking to make Snort better, please feel free
to drop us a line and let us know you’re testing. We want to be sure we
have as much coverage as possible. Please submit bugs, questions, and
feedback to firstname.lastname@example.org. Credible bug submissions will be
rewarded with Snort goodies.
Get the files at http://www.snort.org/dl/prerelease/
Technorati Tags: security, mckeay, snort, IDS
I’m starting to take some notes for my interviews at RSA, and I’ll be throwing out some quick links as I find them. Here are a few of the links I’ve found on TippingPoint.
That’s a few minutes worth of reading for you.
Technorati Tags: security, McKeay, TippingPoint