Snort: IDS Done Well (and Good) - page 3
The Joys of Success
SourceFire's proprietary advances have not only addressed the challenges that reviewers have mentioned about Snort, but have propelled SourceFire into a leadership role in IPS appliances.
The SourceFire 3D product (Discover, Determine, Defend) has 3 layers: SourceFire Intrusion Sensors and Agents, SourceFire RNA Sensors, and the SourceFire Defense Center. According to the company's website, "(b)y closely integrating and correlating the threat information provided by Sourcefire Intrusion Sensors and Agents with the network intelligence provided by Sourcefire RNA Sensors, the Sourcefire Defense Center prioritizes the millions of security events to determine the most critical events to an organization's business, and takes the appropriate actions."
Victor Garza and Charles Herring evaluated SourceFire 3D for InfoWorld and were impressed by the product. They found the RNA sensor interface "remarkably intuitive," along with the Defense Center, which allows users to "start at a 10,000-foot view of the network and drill down to the granular aspects of security events." The reviewers at SC magazine were equally happy with the RNA sensor, particularly its ability to "match what it knows about network resources with its vulnerability signature database." If SourceFire were defending against a storm of Slammer traffic, according to the SC review, the RNA sensor would know that, for example, its Microsoft SQL servers weren't vulnerable, and mark the attack as a low priority. Other IDS vendors would be "lit up like a Christmas tree."
One area that was found wanting in the SC review was SourceFire's ability to analyze data for trends. Their solution was to use a different product (ArcSight ESM) to further manipulate the data. The InfoWorld reviewers commented on SourceFire's inability to protect against VOIP-based attacks, however they acknowledged the edge given to SourceFire by its "bleeding-edge" Snort community.
Snort's influence is strongly present in the Intrusion Sensor aspect of SourceFire, as it's built atop the Snort IDS engine. This has pluses and minuses attached. On the plus side, Garza and Herring liked the ability to customize simple Snort signatures to fit the demands of their particular network. On the minus side, they needed to invest a few hours in adjusting those signatures to reduce the number of false positives they received. Gartner analysts also pointed out the need for more SourceFire developed signatures versus its dependency on Snort signatures.
Regarding future trends in the Network Intrusion sector, Gartner projects a problem area in "malicious executables that do not look to exploit known vulnerabilities." It'll be interesting to see how SourceFire, TippingPoint, StillSecure and other vendors address this potentially complex threat in the future.
This article originally appeared on eSecurityPlanet, a JupiterWeb site.