Recently I received the new SC Magazine and noticed a new Group Test addressing so-called intrusion prevention systems. The reviewer was Christopher Moody, but I was unable to get any sort of background information on him. He has written most of the recent SC Magazine Group Tests, however. As you can read in the story, or in this press release, the Sourcefire IS-2000 won SC Magazine's "Best Buy" award. From the review:
"Its high level of protection and simple rule writing using the Snort engine make it a good standalone product. But it is when it is used as part of the 3D System that it really takes off. Sourcefire’s Defense Center provides excellent centralized management and reporting, and its Real-time Network analysis appliance gives a wider look at the network to help secure it."
The Top Talyer IPS 5500 Attack Mitigator was the SC Magazine Recommended product, even though it had a "small attack signature database compared to other products." Review readers will notice that all of the heavyweight IPS vendors were listed, including TippingPoint and ISS. In addition to Sourcefire, three (perhaps four) other products were Snort-based: Countersnipe, Barbedwire, and V-Secure. (I suspect XSGuard is Snort-based too, but I have no proof.) Did you notice that none of those three are part of Sourcefire's Certified Snort Integrator program? That means they are not allowed to apply VRT rule updates to their products.
Overall I do not have that much confidence in the quality of the review. I trust someone like Greg Shipley who seems to ask the right questions and back them up with real tests. See his recent firewall round-up as an example; at least they mention testing methodologies. I suspect Mr. Moody was limited by page space, but he could have provided more detail on the SC Magazine Web site. I do think that Snort + RNA is incredibly powerful, and I doubt there is a better solution available. I just don't think SC Magazine makes its judgements in a manner I find most helpful.
On a related note, the Open Source Snort Rules Consortium (OSSRC) is online; consider joining.