Sunday, March 27, 2005

Latest Snort and IDS News

Last week saw several developments involving Snort. First, Sourcefire published the Open Source Snort Rules Consortium (OSSRC) charter (.pdf). The document states:

"The stated goals of the OSSRC are to:

- Establish metrics and standards for Open Source Snort rule development and documentation.
- Provide a forum for the sharing of research and information for the development of effective Snort Rules.
- Ensure continuous support for a Snort Ruleset licensed under the GPL."

Sourcefire and Bleeding Snort will hold most of the power in the new group:

"One representative from each of the founding member organizations, Sourcefire and Bleeding Snort, will serve in the role of co-chair of the OSSRC. Co-chairs will serve as managers of the OSSRC, working as they deem necessary to uphold the mission of the OSSRC. They will hold veto power over any vote of the membership, though any such veto may be overturned by a vote of three-quarters (_) of the membership."

I'm not sure why I see "(_)" several times in the document, but I reproduced it above.

To get involved, become a general member:

"The primary role of general members will be to share research information, rule development, testing facilities, etc with the consortium. In addition, they will be provided the opportunity to discuss and vote upon proposals introduced or sponsored by the officers. Proposals may be passed by a simple majority of the voting members of the OSSRC."

I plan to join the OSSRC. If you'd like to as well, email jennifer dot steffens at sourcefire.com or matt at infotex dot com.

The second piece of Snort news is a Bleeding Snort announcement: Demarc is now sponsoring the Bleeding Snort project. According to news on Demarc's Community Portal:

"Demarc is pleased to announce our official sponsorship of the Bleeding Snort Project. Bleeding Snort has long proven itself as an authority in cutting edge snort rules. Demarc is proud to add the support of our Threat Research Team behind this project and we're excited to be able to help Matt and the rest of the Bleeding Snort team continue their excellent work in creating and bringing together the most up to date Snort-based rules for the entire security community."

I guess it took three weeks for Demarc to realize they weren't getting any traction with their initiative to maintain a separate Snort rule base. Their so-called "Demarc Certified Open Signatures" are still posted without appropriate copyright notices, as far as I can tell.

The last bit of Snort news comes in the form of a new Gigabit IDS Group Test from The NSS Group. You would think that at least six year's worth of commercial Web presence would merit a more modern Web page and less underlining of all text! In any case, their new report is interesting as only products from Sourcefire and ISS are mentioned. Why? The report states:

"For this significant group test we invited all the major vendors in the Network IDS market place (if anyone reading this is a vendor who was not invited, please do let us know). Five agreed to take part and be tested using our latest methodology, including:

Internet Security Systems, Inc.

Sourcefire, Inc.

Three of the five devices submitted for testing failed one or more of the tests and were not awarded NSS Approved. They do not appear in this report, leaving the two listed above, both of which achieved NSS Approved status. Others were not able to submit products in time for this round of testing, and will thus be included in Edition 4."

I would like to know which three failed, although I guess NSS is letting them save face by remaining anonymous. I intend to take a close look at the NSS testing methodology when I have more time.

2 comments:

Anonymous said...

Looks like the pre-test list of the intial participants is here:

http://www.nss.co.uk/ForthcomingEvents/gigabit.htm

So it would appear that Juniper, NFR and Symantec didn't make the cut...

Richard Bejtlich said...

Nice detective work! Thank you.