Wow ... this list is *really* heating up again ...
Here are some responses to some comments by John Flowers.
>Dragon and NFR have similar problems when you have *average* IT staff,
>as they don't ship with Ron Gula (which may be a good thing) or Marcus
>Ranum to help you set them up.
Agreed. I set out to make Dragon have as many bells and whistles as
possible. Most of these bells and whistles are beyond the IT staff that
is buying their first IDS. But for ISPs, CELECs, ASPs and managed 24x7
security companies, it fits in very well.
As for *average* staff, we're trying to price Dragon such that someone
without the resources to run an IDS can afford to have a smart managed
security company such as Riptech or Netsec run their IDS at a fair price.
We also have a number of customers who have invested 12 months or so
into products like Real Secure or NetRanger and want to step up the
level of sophistication. Usually they try Dragon and NFR. Sometimes they
buy Dragon, sometimes they buy NFR. Sometimes Ron actually helps them
set up Dragon too (and it is a good thing).
>And, yeah Ron, I know there's an "appliance" version of Dragon. BFD.
If the assumption is that appliances are supposed to be brain dead easy
than we didn't do that. We just bundled the software with some hardware
which is a convenient way to purchase large numbers of Dragon Sensors.
>You still have to figure out how to a) write the logs to some application
>who's reports don't totally suck and
Sorry you don't like the way we write our logs. Most of our customers
do. I'll be sure to get your input when we release our backend reporting
tool and report writer later this quarter. (Did you hear that ISS? NSW
is rolling out a few more products ... )
>b) figure out how to put more than 10 sensors in place without having
>them smack the logging server every time someone sends an email message
>with contents that look like an attack.
If the session matches a signature, then it will get logged. All signature
based systems are imperfect, but many attacks are unique enough that simple
signatures have low false positive rates. For some signatures, the false
positive rate is very very high and those signatures need to be modified.
>Of course, the Dragon rules are pretty easy to setup as you can grab a copy
>of the vision.conf file for snort [http://www.whitehats.com] and translate
>all of them to Dragon with a simple shell script.
Not all of them. There are many rule formats which don't directly correlate
to Dragon. Some of the content rules (looking for patterns in specific network
traffic) do, but things like wildcards and compound signatures are not
currently supported in snort (although I haven't checked out version 1.6).
>P.S. "/cgi-bin/phf" "/cgi-bin/loadpage.cgi?user_id=1&file=wager"
For those who are a step behind here, this is supposed to be a joke (I think)
in that the above text would false alarm a Dragon sensor. First of all, this
is an email message most likely viewed on port 25, possibly downloaded from
a POP server on 110 or 109. None of those ports by default should have web
rules applied to them. If someone were to download this email though a web
browser, these are still web server attacks. Data coming from port 80 won't
have any of the web attack signatures applied to it.
All in all, I hope that any lurkers on this list who have questions won't
be intimidated that the respective CTO's and Chief Scientists from a
variety of strong network security companies are sparring it out here. If
you have questions, let them fly. I'd also like to give a shout out to all
of those new companies that will be releasing an IDS some time in 2000 or
2001. There is always more than one way to skin a cat.
Ron Gula, CTO
Network Security Wizards
http://www.securitywizards.com
Received on Mar 05 2000
Intro
