Menu
▾
▴
snort-inline-users
|
From: Richard C. <ric...@gm...> - 2005-11-05 17:53:45
|
Sourcefire has their own line of IPSs that sit inline and block traffic. Do these devices just use snort-inline or do they have some proprietary code that they use for their IPS? Anybody have any experience w/ these IPSs? -- Thanks, Rich Compton |
|
From: Victor J. <vi...@nk...> - 2005-11-05 19:19:34
|
On Saturday 05 November 2005 18:53, Richard Compton wrote: > Sourcefire has their own line of IPSs that sit inline and block traffic. Do > these devices just use snort-inline or do they have some proprietary code > that they use for their IPS? Anybody have any experience w/ these IPSs? As far as i know they don't use Snort_inline... Regards, Victor |
|
From: Eric H. <eri...@ap...> - 2005-11-07 01:25:16
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For a company whose founder created Snort, built appliances powered by Snort, and put the effort in to integrating Snort-Inline in to the Snort codebase, I would find it highly unlikely that they would use anything but.. Especially since their appliances use Snort signatures. Any Snort-based product company, such as Countersnipe, Sourcefire, Demarc, even Applied Watch, any IPS capabilities announced by these companies you can believe is most likely powered by Snort-Inline. Especially if the solutions use Snort signatures. The only other snort-based IPS that I am aware of other than Snort-Inline is Hogwash, however, I'm not aware of any commercial company that uses it. It would be interested to hear if anyone is actually using it. Side note, last I heard, the Hogwash project was dead but from what I can see on the project page, it may be picking back up. Best Regards, Eric Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC - --------------------------------------------------- Eric Hines, GCIA, CISSP CEO, President, Chairman Applied Watch Technologies, LLC - --------------------------------------------------- Headquarters: 1095 Pingree Road Suite 213 Crystal Lake, IL 60014 Virginia Office: 4524 Waverly Crossing Lane (DoD/Intelligence) Chantilly, Va. 20151 TS/SCI Cleared Personnel - --------------------------------------------------- Web Site: http://www.appliedwatch.com Tel: (877) 262-7593 Direct: (877) 262-7593 ext:327 Cell: (847) 456-6785 - --------------------------------------------------- - - Victor Julien wrote: > On Saturday 05 November 2005 18:53, Richard Compton wrote: > >>Sourcefire has their own line of IPSs that sit inline and block traffic. Do >>these devices just use snort-inline or do they have some proprietary code >>that they use for their IPS? Anybody have any experience w/ these IPSs? > > > As far as i know they don't use Snort_inline... > > Regards, > Victor > > > ------------------------------------------------------- > SF.Net email is sponsored by: > Tame your development challenges with Apache's Geronimo App Server. Download > it for free - -and be entered to win a 42" plasma tv or your very own > Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php > _______________________________________________ > Snort-inline-users mailing list > Sno...@li... > https://lists.sourceforge.net/lists/listinfo/snort-inline-users > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDbqt9obrbO5ZoXNARAv3jAJ9fiDuF0qdRusRTBjR7NbpZqBVGCQCg7bbB Ff+u82n+X+XEom/t90f4P3k= =UIzy -----END PGP SIGNATURE----- |
|
From: Jason <sec...@br...> - 2005-11-07 01:04:59
|
Sourcefire maintains and uses the inline capabilities of snort proper EG: $ wget http://www.snort.org/dl/current/snort-2.4.3.tar.gz $ tar -xvzf snort-2.4.3.tar.gz $ cd snort-2.4.3 $ ./configure --enable-inline && make && make install Richard Compton wrote: > Sourcefire has their own line of IPSs that sit inline and block > traffic. Do these devices just use snort-inline or do they have some > proprietary code that they use for their IPS? Anybody have any > experience w/ these IPSs? > > -- > Thanks, > Rich Compton |
|
From: Nick R. <ni...@ro...> - 2005-11-07 19:56:45
|
> Sourcefire maintains and uses the inline capabilities of snort proper > > EG: > > $ wget http://www.snort.org/dl/current/snort-2.4.3.tar.gz > $ tar -xvzf snort-2.4.3.tar.gz > $ cd snort-2.4.3 > $ ./configure --enable-inline && make && make install > I would be very surprised if SourceFire is using snort_inline for their production branch. More likely, it is a modified version of snort+flexresponse. Is anyone at SourceFire on this list that could comment? > > Richard Compton wrote: >> Sourcefire has their own line of IPSs that sit inline and block >> traffic. Do these devices just use snort-inline or do they have some >> proprietary code that they use for their IPS? Anybody have any >> experience w/ these IPSs? >> >> -- >> Thanks, >> Rich Compton > > Nick Rogness <ni...@ro...> |
|
From: Nick R. <ni...@ro...> - 2005-11-08 02:35:55
|
> I am not subscribed to the list from this address so please copy me on > any replies. > > Nick Rogness wrote: >>>Sourcefire maintains and uses the inline capabilities of snort proper >>> >>>EG: >>> >>>$ wget http://www.snort.org/dl/current/snort-2.4.3.tar.gz >>>$ tar -xvzf snort-2.4.3.tar.gz >>>$ cd snort-2.4.3 >>>$ ./configure --enable-inline && make && make install >>> >> >> >> I would be very surprised if SourceFire is using snort_inline for >> their >> production branch. More likely, it is a modified version of >> snort+flexresponse. Is anyone at SourceFire on this list that could >> comment? > > Sourcefire does not use snort-inline or a modified version of > snort+flexresp, we maintain and use the inline capabilities of snort > proper. > > The same capabilities are available in Snort from > http://www.snort.org/dl and can be enabled by fetching the latest > sources and enabling inline mode by doing ./configure --enable-inline > during the build process. Ummm, that IS snort_inline then (an older version patch). I'll be damned... Nick Rogness <ni...@ro...> |
|
From: Richard C. <ric...@gm...> - 2005-11-09 04:22:19
|
Ok, so that's the answer? Sourcefire uses an older version of snort_inline which is developed by William Metcalf and others for their "SC best buy" IPS. I'm running a newer version of snort-inline and it was free. I'd say that's the real "best buy" :) It occurs to me that it would be very convienent for folks out there to hav= e a live cd or a install cd that would have the OS, snort-inline, iptables, clamav, base, ntop, etc preconfigured so users could just download the cd, install it on a box w/ 3 ethernet interfaces and PRESTO! you have an IPS. Maybe the honeywall cd could be modified? It has pretty much everything listed. Any comments? On 11/7/05, Nick Rogness <ni...@ro...> wrote: > > > > I am not subscribed to the list from this address so please copy me on > > any replies. > > > > Nick Rogness wrote: > >>>Sourcefire maintains and uses the inline capabilities of snort proper > >>> > >>>EG: > >>> > >>>$ wget http://www.snort.org/dl/current/snort-2.4.3.tar.gz > >>>$ tar -xvzf snort-2.4.3.tar.gz > >>>$ cd snort-2.4.3 > >>>$ ./configure --enable-inline && make && make install > >>> > >> > >> > >> I would be very surprised if SourceFire is using snort_inline for > >> their > >> production branch. More likely, it is a modified version of > >> snort+flexresponse. Is anyone at SourceFire on this list that could > >> comment? > > > > Sourcefire does not use snort-inline or a modified version of > > snort+flexresp, we maintain and use the inline capabilities of snort > > proper. > > > > The same capabilities are available in Snort from > > http://www.snort.org/dl and can be enabled by fetching the latest > > sources and enabling inline mode by doing ./configure --enable-inline > > during the build process. > > > Ummm, that IS snort_inline then (an older version patch). I'll be > damned... > > > Nick Rogness <ni...@ro...> > > -- Thanks, Rich Compton |
|
From: Adrian S. <soo...@gm...> - 2005-11-10 00:21:55
|
I don't know whether Sourcefire uses snort-inline or not, but I do know that one limitation they have run into in the past with their IPSs and IDSs is the database. The database is a bottleneck that I think many people overlook. They may use snort-inline, but what gives them and a few other IPS vendors their "competitive edge" if you will, is the database that collects all their information. I've never used an IPS from ISS, but I hear they don't bother logging alerts in as great of a detail as Sourcefire's and other's IPSs do because of the database problem. For example, when MySQL or Oracle get a million or so records, record insertion rates drop down to somewhere in the hundreds per second (or slower, depending on the database schema and how many indexes you have - the more the indexes, the slower the insertion rates) -- not good if you're on a busy network or having one database collecting alerts for many sensors! I think they use a proprietary high-speed database that they license from some other company. The database boasts they can do orders of magnitude more insertions per second, even with hundreds of millions of records (Oracle will fall on its face with that many records!). The database also has a crazy fast record retrieval rate, even when there are millions of records to search through. For the users that has a small internet pipe, perhaps this solution will work. But when getting into the 30, 100 mbit or gigabit space, the database is going to be the biggest bottleneck. You wouldn't be able to use one of these honeywall or live-cd IPSs to protect an internal network, if there are alerts being generated. -Adrian On 11/8/05, Richard Compton <ric...@gm...> wrote: > Ok, so that's the answer? Sourcefire uses an older version of snort_inli= ne > which is developed by William Metcalf and others for their "SC best buy" > IPS. I'm running a newer version of snort-inline and it was free. I'd s= ay > that's the real "best buy" :) > > It occurs to me that it would be very convienent for folks out there to > have a live cd or a install cd that would have the OS, snort-inline, > iptables, clamav, base, ntop, etc preconfigured so users could just downl= oad > the cd, install it on a box w/ 3 ethernet interfaces and PRESTO! you have= an > IPS. > > Maybe the honeywall cd could be modified? It has pretty much everything > listed. > > Any comments? > > > On 11/7/05, Nick Rogness <ni...@ro...> wrote: > > > > > I am not subscribed to the list from this address so please copy me o= n > > > any replies. > > > > > > Nick Rogness wrote: > > >>>Sourcefire maintains and uses the inline capabilities of snort prope= r > > >>> > > >>>EG: > > >>> > > >>>$ wget > http://www.snort.org/dl/current/snort-2.4.3.tar.gz > > >>>$ tar -xvzf snort-2.4.3.tar.gz > > >>>$ cd snort-2.4.3 > > >>>$ ./configure --enable-inline && make && make install > > >>> > > >> > > >> > > >> I would be very surprised if SourceFire is using snort_inline for > > >> their > > >> production branch. More likely, it is a modified version of > > >> snort+flexresponse. Is anyone at SourceFire on this list that could > > >> comment? > > > > > > Sourcefire does not use snort-inline or a modified version of > > > snort+flexresp, we maintain and use the inline capabilities of snort > > > proper. > > > > > > The same capabilities are available in Snort from > > > http://www.snort.org/dl and can be enabled by fetching the latest > > > sources and enabling inline mode by doing ./configure --enable-inline > > > during the build process. > > > > > > Ummm, that IS snort_inline then (an older version patch). I'll be > > damned... > > > > > > Nick Rogness <ni...@ro...> > > > > > > > > -- > Thanks, > Rich Compton |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X