Andrew Plato wrote: > Furthermore, Snort rules are developed by volunteers (or Sourcefire). As > such, SNORT is usually behind the curve on new signatures.
I suppose you have actual figures for this ? Because I'd have to claim it FUD otherwise. Compare with the response time of commercial and open source anti viruses, and you'll see that this claim is at best unproven. > ISS, for > example, does their own independent security research an has signatures > to protect against things that Snort people don't even know about. And I suppose people who work for Sourcefire, or people who contribute rules to the Snort signatures base, don't do vulnerability research ? I know that many researchers develop signatures along with their advisory. We've seen that. Are you implying that ISS knows about zero-day vulnerabilities it hasn't alerted vendors to ? I think that ISS always claimed to be for responsible disclosures of their findings. Has this changed, recently ? > vendors buy exploits from the hacker market - again giving them access > to vulnerabilities long before it hits the public Same as above applies. Buying vulnerabilities and exploits and not publishing them is highly unethical. I wouldn't buy anything from a vendor who claimed to do that. Besides, "good" zero days stay in the closet for a long time. They get sold when they already leaked to the outer circles of the scene. As far as the "who has the rules first", in fact, I remember Snort implementing a way to import the so-advanced, bleeding-edge ISS rules... oh wait, or was it the other way round ? :) Stefano ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
