sourcefire.com · Domains · Slashdot Mirror

Re:From the NSA? or just kinda near them...ish? by recharged95 · 2014-01-06 16:08 · Score: 2 · on Firewall Company Palo Alto Buys Stealthy Startup Formed By Ex-NSAers

Also, I like the 'wildfire' play on likely the main competition, which is Sourcefire. Which really started stuff like Snort and Ethereal...

Misunderstanding what trust is by onyxruby · 2013-10-03 00:37 · Score: 4, Interesting · on Security After the Death of Trust

Take the view of the Pentagon and assume that you are at all times compromised. You probably are. Any given entity can be broken into by a determined hacker. Talk to a pen tester sometime and ask them how many places they have failed to break into. The entire concept of trust is that you can send data privately over the Internet, you can't unless you encrypt your data offline ahead of time.

On the Internet trust is all about identity and encryption. For most people that translates into a certificate that is used to supply SSL. People then assume that because they are using SSL that they can now trust a given connection. There is no justification for trust and there never has been, the entire concept of trust is a misunderstanding of the concept of how a Certificate Authority works.

All a Certificate Authority does is say that their is an unbroken chain of identity from a given point to a given point. Even then a Certificate can be forged or stolen or issued improperly, and even if controls detect a bad certificate in use most people will click the button to use the bad certificate anyways.

All of this assumes that a given government entity hasn't used a court order to force a Certificate Authority to replicate a Certificate so that your data can be seized. Certificate Authorities cooperate with things like court orders, they don't self destruct like Lavabit. That whole backstory with Lavabit self destructing - it was a fight over getting the key that was used because he wouldn't hand over his private key.

People also forget that SSL is wholly dependent on Certificate Authorities. SSL is used to encrypt data with a key when data is in transit. The problem is that data anyone that owns the network can conduct an MITM attack against your key. SSL is fundamentally broken because it presents a perception of trust when it is incapable of providing that level of trust.

Meaningless by onyxruby · 2013-09-08 02:43 · Score: 0, Troll · on NSA Can Spy On Data From Smart Phones, Including Blackberry

Phones are connected to networks. Government agencies by definition have the ability to issue warrants to get the network provider to turn over all data that passes through their network. Every government on the planet does this and has since the invention of the telephone. It's called a wiretap and the logic was extended for text and other data.

The network provider owns the network. Through the use of warrants the government owns the network provider. When you own the network you own all of the data going over it. With devices that perform MITM on the fly your encryption is useless unless you exchanged the key offline ahead of time. These devices have been sold for government and corporate use for many years.

The idea that anyone has ever had privacy on their mobile is a myth that has never had any basis in reality. You want a secure phone that your favorite government bad guy can't get into? Go to the store, buy your favorite phone and leave it in the package.

Re:Time to fork Snort by Necroman · 2013-07-23 03:37 · Score: 1 · on Cisco To Acquire Sourcefire For $2.7 Billion

Looks like they are going to be keeping their open source products open (ClamAV, Snort, and others).
http://blog.sourcefire.com/Post/2013/07/23/1374581400-cisco--sourcefire--now-bigger-stronger-faster/

Also, it looks like Snort is dual-license: http://www.snort.org/snort/license

Re:NSA by WaywardGeek · 2013-07-03 02:52 · Score: 1 · on Calif. Attorney General: We Need To Crack Down On Companies That Don't Encrypt

Dude... companies do this all the time, if for no other reason than to compress network traffic. They just buy boxes like this one. All you do is override DNS and CA. It's standard practice.

Re:Not a god damned thing by onyxruby · 2013-06-14 00:00 · Score: 1 · on Ask Slashdot: How To Bypass Gov't Spying On Cellphones?

I agree with your point about supercomputers, that isn't what I'm talking about using for decryption.

You don't need a supercomputer to decrypt the contents of a message when you own the network. Automated appliances conduct MITM attacks and are at use in every major corp for things like DLP. One example of a commercial product that you can buy.

http://www.sourcefire.com/security-technologies/network-security/ssl-encryption-decryption

Re:Not a god damned thing by onyxruby · 2013-06-13 14:40 · Score: 1 · on Ask Slashdot: How To Bypass Gov't Spying On Cellphones?

Meet the SSL decryption appliance. It works by use of a MITM attack. As I said if you own the network you own anything going through it. When you own the network you can own any corresponding key exchanges.

Here is one such example appliance, there are many others like it.

http://www.sourcefire.com/security-technologies/network-security/ssl-encryption-decryption

Re:What he's doing? by Necroman · 2011-02-01 04:08 · Score: 1 · on World's Worst Hacker?

I'm guessing SourceFire?
http://www.sourcefire.com/security-technologies/snort

About the parent commenter... by mcgrew · 2010-07-21 06:41 · Score: 1 · on Is Open Source SNORT Dead?

Note slashdot username martyroesch, and as it's a six digit UID it can't be some fool that just picked it up today. Here's what Wikipedia says about the parent poster:

Martin Roesch
From Wikipedia, the free encyclopedia
Jump to: navigation, search
Martin Roesch founded Sourcefire in 2001 and serves as its Chief Technology Officer. A respected authority on intrusion prevention and detection technology and forensics, he is responsible for the technical direction and product development efforts. Martin, who has 17 years industry experience in network security and embedded systems engineering, is also the author and lead developer of the Snort Intrusion Prevention and Detection System that forms the foundation for the Sourcefire 3D System.
Over the past 10 years, Martin has developed various network security tools and technologies, including intrusion prevention and detection systems, honeypots, network scanners, and policy enforcement systems for organizations such as GTE Internetworking, Stanford Telecommunications, Inc., and the United States Department of Defense. He has applied his knowledge of network security to penetration testing and network forensics for numerous government and large corporate customers. Martin has been interviewed as an industry expert in multiple technology publications, as well as print and online news services such as MSNBC, Wall Street Journal, CNET, ZDNet, and numerous books. Snort has been featured in Scientific American, on A&E's Secret Places: Inside the FBI, and in several books, such as Network Intrusion Detection: An Analysts Handbook, Intrusion Signatures and Analysis, Maximum Security, Hacking Exposed, and others.
In 2006, Martin was named as one of InformationWeek's 18 "Innovators and Influencers" and one of the Tech Council of Maryland's "Most Influential CTOs in Maryland." Martin has also been the recipient of the 2004 InfoWorld IT Heroes Innovator Award as well as winning the 2004 "40 Under 40" award from the Baltimore Business Journal.
Martin holds a B.S. in Electrical and Computer Engineering from Clarkson University. He is also the author of Daemonlogger. [1]
[edit] References
^ "Sourcefire Website". http://www.sourcefire.com/company/exec. Retrieved 2008-10-28.
[edit] External links
Marty's blog
This biographical article relating to a computer specialist is a stub. You can help Wikipedia by expanding it. v d e
Retrieved from "http://en.wikipedia.org/wiki/Martin_Roesch"

To Marty: I tip my hat to you, sir.

Some things to consider... by yomamasbooty · 2006-03-24 12:45 · Score: 2, Interesting · on Feds Kill Check Point's Sourcefire Bid

The main factor for Check Point's acquisition was for the RNA technology and the way that the rest of SourceFire's products fit into a centralized management architecture (like Check Point's). Check Point's firewalls have been doing IPS/IDS firewalling for some time. Now combine the existing technology with SourceFire's passive IDS approach and you have quite an interesting technology. Check Point is constantly pushing the envelope and it would have been exciting to see what this would have brought.

As far as all the "US gov't doesn't use Check Point" consider this: one of Check Point's largest customers is the U.S. Army. So we can pretty much put that to rest.

Let's put another one to rest: this whole "Check Point sucks because its all closed source and they make money" is tiring. While yes Check Point's security applications are closed source, the development platform for all the apps is Linux. Check Point's own hardened Linux version SecurePlatform is available at no extra cost, is supported without extra cost and is the preferred platform. Download a version and see for yourself http://www.vmware.com/vmtn/appliances/. You'll see that Check Point makes extensive use of OSS, and even contributes back to the community from what I hear.

Check Point is a strong advocate for Open Source where it makes sense, and I don't think they need to apologize for being profitable when US based companies like Cisco and Microsoft make billions off the crap they have slopped together.

This whole Israeli "back door" thing is ridiculous, and stings of anti-semetic conspiracy. Israel has consistently been the US's most staunch ally (when allowed). What possible benefit would Israel or Check Point gain by allowing a backdoor to be widely distributed throughout the world? Think about it, Check Point has been in business for 13+ years, and has hundreds of thousands of Internet perimeter firewalls out there in operation. Don't you think that if there was a deliberate back door that it would have been found by now. Yeah those crazy Jews are out for world domination again. Ridiculous.

It is no secret that Check Point is run by mad scientists who make great product, but don't have a clue when it comes to running a business (well maybe just the bribing part). Could it be that Check Point maybe didn't grease Washington the way it should have? Could it be that Sam Nunn being on the board of directors for direct competitor of Sourcefire and Check Point's might have had something to do with this? Could it be that market powerhouses like Cisco who spend more money on marketing the mythical "self-defending network" than actually fixing their sh!t helped put a stop to this?

Follow the money. It was big businees and big Bush that killed this deal. And yes Check Point is a $Billion+ company so I'm sure they will survive (sniff sniff), but how does this play into the mythical "global free market" we keep hearng about? Is protecting stagnant companies like ISS and Cisco what is really best for the security market and the rest of us?

Re:irrational fear? by RyanCowardin · 2006-03-24 06:14 · Score: 2, Informative · on Feds Kill Check Point's Sourcefire Bid

Snort is open-source.... SourceFire makes money off the other things they've created to work with/around Snort...

Quoted from here

"Roesch sees Snort and Sourcefire as two different solutions aimed at distinctive markets. "The idea of Snort was to give people the best free, open source intrusion detection system we could, and we were pretty successful at that," he said. "The idea of Sourcefire is to say, 'Okay, we've got good intrusion detection technology: let's add everything else people need to use these systems effectively in large organizations.'"

And that's not to say that large organizations can't use Snort without the backing of Sourcefire. Roesch says some of the biggest companies in the world use Snort. Sourcefire just adds the manageability along with ease of use and deployment that many enterprise customers are looking for in an intrusion detection system.

Sourcefire's OpenSnort Sensors cost $9,995 each, and the OpenSnort Management Console costs $19,995. Various service contracts are available, ranging from a platinum level with around-the-clock support to a standard contract with per-incident support and e-mail discussion list access. Training on Sourcefire's products is also available. Training on IDS and forensic analysis in general is planned for the near future"

Also, the Federal Information Security Management Act might have a lot to do with this decision as well:

"The Federal Information Security Management Act (FISMA), Title III of the E-Government Act of 2002, outlines requirements to secure Federal information. Each Federal Agency, including contractors or other organizations who work with the agency, must develop, document, and implement an agency-wide information security program. Detailed guidance and recommendations are provided by the National Institute for Standards and Technology (NIST) encompassing all aspects of information security."

Re:But it is freely available to anybody by DJCacophony · 2006-03-24 06:01 · Score: 2, Informative · on Feds Kill Check Point's Sourcefire Bid

Sourcefire sells snort as part of a system. See here.

Re:gotta love it by Crilen007 · 2006-03-02 12:59 · Score: 2, Informative · on U.S. Investigating Sale of Snort as Security Risk

The Snort® open source intrusion prevention and detection technology was created in 1998 by Martin Roesch, the founder of Sourcefire. With its unprecedented speed, power and performance, Snort quickly gained momentum to become the single most widely deployed intrusion prevention and detection technology in the world. In fact, Gartner recognized the mainstream acceptance of Snort in their "Gartner Hype Cycle for Open-Source Technologies" citing Snort as "Widely available. Used by mainstream companies and supported by many vendors." The wide availability of open source brings many advantages. Since the code is open and non-proprietary, open source development occurs at a markedly accelerated pace compared to proprietary models, thanks to a vast community of security experts continually analyzing and improving code. Simply, users in the open source security community worldwide can detect and respond to bugs and other security threats faster and more efficiently than in a "closed" environment. Now, with more than 2 million downloads, the Snort open source community has a well-earned reputation for extraordinary organization and dedication. Literally hundreds of thousands of security engineers and specialists the world over contribute Snort rules to new and evolving threats every hour of the day, often in record time. Today: The Best of Both Worlds Today, Sourcefire combines the very best of open source with the best of the commercial world. Leveraging the power and reach of the open source Snort rules-based detection engine, Sourcefire adds a critical layer of asset and behavioral profiling. Sourcefire's RNA (Real-time Network Awareness) maintains a persistent profile of a network and its assets. Using passive discovery methods, RNA adds a new level of visibility and intelligence. Sourcefire products are easy to use, out of the box, tuned and fully loaded, plug-n-protect appliances, with pre-optimized hardware and OS. Building on the proven, time-tested Snort intrusion prevention and detection engine, Sourcefire brings a new generation of the first ever unified intrusion and vulnerability management technologies to enterprises from manufacturing to the military. These include Sourcefire Intrusion Agents(TM) for Snort, commercial appliance versions based on Snort code, designed to make it easy for open source Snort users to fully capitalize on their investment in all open source Snort deployments. In addition, the Sourcefire Vulnerability Research Team (VRT), joined by the eyes and ears of the vast open source Snort community put the largest brain trust in network security at work for every Sourcefire customer. As part of an ongoing dedication and active involvement in the community, Sourcefire continues to enhance Snort. For example, the Sourcefire Security Education Program is a comprehensive certified training program. Delivered direct from the creators of Snort, users will learn the latest real world tools and techniques for optimizing Snort technology and all Sourcefire products. Sourcefire will continue to enhance open source as well as commercial versions. The result is a win-win for bringing truly effective network security for the real world. Source: http://www.sourcefire.com/snort.html

Re:Misleading and ignorant? by Anonymous Coward · 2006-03-02 12:31 · Score: 0 · on U.S. Investigating Sale of Snort as Security Risk

Actually. you are wrong

sourcefire was founded by Marty Roesch (who, is a user here on slashdot and prolly just cringed at you writing that), marty wrote Snort. Sourcefire USES Snort in their devices.

Look at it..
http://www.snort.org/ 0wned by sourcefire
http://www.sourcefire.com/ Powered by snort

Its a big freekin pitcher... by Psarchasm · 2005-10-06 12:26 · Score: 2, Interesting · on Nessus Closes Source

That's *the* valid excuse. They were in fact drinking the kool-aid - they believed that by contributing to the codebase, that it would make everyone's project stronger. As it happened, they kept giving and the competition kept taking. The community didn't give back.

I guess they didn't gain anything from Linux, libwhisker, nmap, Bugzilla (MPL, I know - but they use it, and the argument still works), or any of the countless other open source projects. Why is it that coders always feel they don't get their just rewards? Why ever release under the GPL to begin with? Didn't gain anything... pfft.

Nessus gained a reputation as a premier vulnerability scanner because it was open and free -- period. Nessus isn't terribly more special than Retina or ISS Internet Scanner. Look up "vulnerability scanner" in google and your first hit is Nessus because it was free AND open. Had it just been free it never would have gotten off the ground. Seems to me Linux probably wouldn't have gotten very far either. Hey its their code (I guess), so they can do what they want with it. I guess they just weren't making enough of their own black box implementation - but they'll need to have some insane tricks up their sleaves if they think they'll make money against whoever forks Nessus 2.x and keeps it free.

Hell the only reason anyone buys ISS's scanner is because it ties in with their whole SiteProtector line.

*shrug*

Some people do manage to make some money from their open source projects... SourceFire. Odd day in open source security land.

SourceFire did it with Snort by pedestrian+crossing · 2005-09-28 00:08 · Score: 1 · on Zimbra Collaboration Suite Launched

There are definitely business models out there that can work. The key is to be able to add value to the product in a way that the PHB can understand.

SourceFire seems to have found a way to do it. Going beyond just packaging Snort on "black boxes" and providing support, they went through the effort to get their commercial version of Snort through the necessary certifications to be allowed on US government networks. It cost them money, but it is going to make them money as well.

My PHB wouldn't have allowed me to deploy Snort, arguably with good reason. But SourceFire, no problem. And from what I hear at other agencies, I'm not the only one.

It works because Snort has established a solid reputation, and SourceFire has added the pieces it takes to sell it to the boss.

Sourcefire and RNA by PGillingwater · 2005-09-09 19:51 · Score: 3, Insightful · on Intrusion Prevention and Active Response

I've worked with IDS for more than 8 years, and Snort for at least 6 years. Currently, I recommend Sourcefire to my customers. Why? Well, Snort with commercial support is great, but it's not enough. Sourcefire however developed RNA, which does passive network protocol analysis, and builds a knowledge base of vulnerbilities and hosts -- and allows IDS rules to be tuned according to relevance. (Note that RNA doesn't help when it comes to IPS.)

Having said that, I am generally against deploying any fully-automated IPS responses, due to the possibilities of false positives and potential for new attack vectors (i.e., a crafty attacker using the defenses against you.)

Until expert systems are as smart as experienced IDS analysts, the best defense is a dedicated team of people who deploy early-warning systems, and who watch the network carefully, 24x7, aided by tools like RNA. If you're really serious about security, however, you will develop two teams: Read Team and Blue Team. Let one handle defense, the other run attacks, and let the games begin... and don't forget to cycle people between the teams!

Snort supports in-line operation by martyroesch · 2005-07-20 12:23 · Score: 4, Informative · on Network Intrusion Detection and Prevention?

Hi there, original author of Snort here.

Snort supports in-line (intrusion prevention) operation on Linux as of version 2.3.0. There is also the snort-inline project which maintains a different code branch that includes support for divert sockets on FreeBSD as well as some in-line focused mods.

Sourcefire (my company) builds commercial-grade IPS using Snort as the foundation technology and it works well. We're continuing to improve the technology on an ongoing basis as it's central to our IPS offerings. If you want to run an IPS to try out the technology, Snort is certainly suitable today.

Re:plenty of appliances... by Anonymous Coward · 2005-07-20 09:54 · Score: 0 · on Network Intrusion Detection and Prevention?

Don't forget Sourcefire, the company who created and maintains SNORT. They have appliances ranging from home/office up to multi-gigabits.

-AC

Re:Should I bother? by rpbailey1642 · 2005-01-08 02:52 · Score: 1 · on Being Free is Hard to Do

A great example of what you are asking about is the company Sourcefire. The free program in question is Snort. Sourcefire improves the core of Snort and sells complete solutions (boxes with snort configured, support on boxes sold, etc). The improvements made to Snort by Sourcefire trickle back into the Snort codebase. End result is that a company makes a decent living off a free program, and the free program gets a professional staff working on it.

Re:How... by DarkMantle · 2004-12-07 07:02 · Score: 1 · on Profiting from Open Source Software

wow, you mis-read that article bad.

Free engineering from a large community. Thats what the buisnesspeople want out of open source
It's the same guy that made Snort to begin with, and he's still contributing/leading the development of the software.

And the profit comes from making the interface.
Umm well, where to begin, lets start right over here where we see it's not just a front end, but hardware to run the application as well. Oh and look, they have other things that don't use snort, or other OSS projects that he created himself. Next you're going to tell me that MandrakeSoft is evil because when I was on dialup I bought Linux Mandrake 7.1 instead of downloading it. (My first venture into linux BTW) and Red Hat must be evil from profiting on there front end of the Linux Kernel as well.... [/rant]

Setting the record straight by martyroesch · 2004-05-24 14:21 · Score: 4, Informative · on Snort up For Revamp, says Creator

The article missed a few key points so I'll try to set the record straight here.

First off, my presentation was about making the case for Passive Network Discovery Systems (PNDS), a "new" technology that I created over at Sourcefire. The basic idea of a PNDS is to discover the composition and topology of your network via a mix of passive OS fingerprinting and passive application layer protocol discovery and the other information that you can infer from that data, such as network topology and asset vulnerabilities. I sought to show how that technology could improve a variety of network security technologies by using the example of how Snort (and other IDS) works today and how it could be improved by integrating the information that comes from a PNDS.

Sourcefire has developed a product called RNA that performs the PNDS functions that I outlined during my talk. Note that it is a proprietary technology that we developed commercially and it is a completely separate product from Snort or the Sourcefire IDS sensors. We are not going to be integrating the functionality of RNA into Snort, we're going to be modifying Snort to take advantage of the information that a system like RNA can generate. In the best case scenario, RNA has a very different deployment profile than an IDS.

I said that IDS has had trouble in the market because of its complexity and the requirement that users perform extensive tuning of IDSes in general in order to get maximum benefit from them. There are a lot of things that factor into this problem, but the root cause of almost all IDS problems today is that we don't have automated methods for provisioning them nor do we have effective methods of data reduction available that are automated, persistent and real-time. PNDS addresses that problem head on in a way that is appropriate for real-time processes like IDS in ways that traditional scanning technologies have a very tough time providing.

I then went on to say that we're planning on making changes to Snort to enable it to leverage the information that a system like RNA provides and make it into a true target-based IDS, redefining how IDS operates and hopefully revitalizing it as a technology. Snort will still be available for free and will still operate in "classic" mode where it doesn't leverage this info for people who don't have passive discovery technologies (or even active ones) so that they can still continue to use it.

Snort is not going to be doing the configuration policy enforcement (i.e. the "block OS X on my network" function), RNA is. RNA is capable of seeing devices on the network and discovering their attributes in real-time and communicating that data to our management console where it can be analyzed for policy compliance and where appropriate remediation responses can be executed. Not to get too deep into the marketing, but there are good engineering reasons for wanting to do this that include worm/virus containment, real-time IDS policy updates and some other really useful mechanisms for performing policy enforcement.

We're making mods to Snort because we believe that we can make a truly next-generation IDS capability that is easier to deploy, manage and get valuable information out of due to the effect of RNA. This approach directly addresses all the arguments of the "IDS is dead" crowd while at the same time making IDS a much more impactful technology while greatly reducing the overhead requirements on users.

I hope this clears things up for people!