.

Commercial IDP vs Suricata or Snort?

<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Wed Sep 21, 2011 12:21 pm

Commercial IDP vs Suricata or Snort?

Can anyone give me a compelling reason why you would want to buy a commercial IDP box like a Juniper IDP250 instead of just using Suricata or Snort in IDP mode? The Juniper products seem to have a bunch of marketing speak and outside of maybe quicker rules updates, I cant find a reason why you would buy one.

Does anyone have any practical experience the Juniper line? Are they worth a damn?
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Sep 21, 2011 12:58 pm

Re: Commercial IDP vs Suricata or Snort?

I'm 80% Juniper down in my shop but also use both Snort and Suricata equally. It all boils down to time because time = money. With Juniper and other commercial products, there are dedicated people working non-stop on the devices. This gives you some level of confidence that signatures are as up-to-date as possible whereas with Snort and Suricata, you're at the mercy of the community and yourself.

We'll start with the community. No big secret about zealotry: Suricata forked from Snort, OpenVAS forked from Nessus and the lineage goes back dozens of years. In the open source realm, there are and have been a lot of cool projects often messed up by individuals themselves. Snort and the IDP/IPS is nothing new. Marcus Ranum had the excellent NFR, Ron Gula had the excellent Dragon. There was Emerald and a bucketload of cool tools that were effective. Ask yourself: "Where are they now?" This is the problem with open source and the likes. Whereas with say a vendor, Juniper, Tipping Point, when you need something, a call or a ticket WILL get you results without the headaches of jumping on IRC or a mailing list.

Let's move on to you (not you per-se but the individual running the IDP/IPS). How good is your packet fu, reversing skills, AV detective skills and so on? Do you think you could create say 1,000 signatures per day to keep up with the threat? Because the big boys (Juniper, Tipping Point, etc.) have the visibility, you can have some form of relief that there are dozens maybe hundreds of people actively working on a collected source of data versus anything you could whip up.

So ask yourself, do you want to spend the money (time) running around on IRC, mailing lists, waiting for community volunteers to make signatures or would you rather have it done for you and save yourself the headache and money (time).
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Wed Sep 21, 2011 1:22 pm

Re: Commercial IDP vs Suricata or Snort?

The Juniper products seem to have a bunch of marketing speak and outside of maybe quicker rules updates


This gives you some level of confidence that signatures are as up-to-date as possible whereas with Snort and Suricata, you're at the mercy of the community and yourself.


I don't agree that you are guaranteed to receive quicker quicker updates from a commercial solution, you can write your own rules with open solutions. Yeah, maybe you cannot equal the volume of rules produced by a whole team dedicated to that effort. Or for example, a solution like Tipping Point benefits from a program like ZDI in a way they can offer protection against 0-day vulns sooner. But how can you be sure those rules are effective enough? Once you learn what exactly the rule is proptecting you from, you may bypass it (I've done it a couple of time), so you are at the mercy of the vendor to fix/tune up those rules, while with the open solutions you can do it by yourself.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Wed Sep 21, 2011 1:24 pm

Re: Commercial IDP vs Suricata or Snort?

Excellent point Sil.  It also helps when you want to sell a product to management.  Most managers and CFO types will see the cost of say a Juniper or Tipping Point and say

"hey isn't there some free opensource product we can use??"  

And you, being the person who would have to manage that, could say

"well we can, but we will need to hire a person to maintain and monitor this device and we will have to pay that person 75-85K a year plus benefits.  Also if the system breaks we will have to wait for someone on the interwebs to come up with a solution.  Oh yeah and if the device goes down we will not have internet access since it sits between our firewall and internet modem."  :D "So lets spend the 25-40K for a supported solution and if anything goes wrong we could call the 24/7 support line and open a ticket with a 4 hour or less response."  

As a geek though, well yeah we want to play with the opensource and figure out the inner workings and even get the direct exposure to discover a new threat not seen before.  But then that is for our home labs and not for the business.
Certs: GCWN
(@)Dewser
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Wed Sep 21, 2011 1:52 pm

Re: Commercial IDP vs Suricata or Snort?

Point taken.

@Sil, any regrets or complaints on the Juniper line? I'd love to look at TippingPoint but thats like 4x the cost i think.

PS - I think the Suricata folks are awesome ;) and the product is pretty easy to use and modify!
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Sep 21, 2011 2:32 pm

Re: Commercial IDP vs Suricata or Snort?

Nah @ complaints for Juniper. At least for me there isn't. There may be a slight learning curve, but that's a given for most technologies and applications when they're new. Suricata indeed is kick ass cool however, there are pros and cons which would hinder me from getting a client to agree to deploy it. Imagine having a client in Asia right now and you're telling them you want to deploy Suricata. They'd shoo you out of their office. "part of and funded by the Department of Homeland Security's Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy's Space and Naval Warfare Systems Command (SPAWAR)" It's just the way it is.

Back in the daze (not a typo ;)) EMERALD (http://www.csl.sri.com/projects/emerald/project.html) was the de-facto must have. Around this time, there was also a lot of funny stuff going on where the unofficial (don't ask don't tell) policy/theory was: "man as nice as that is you DON'T WANT to run it on your network." Just saying ;) At the end of the day, I will run what my client wants me to or what I feel works best. For me cost wise, is Juniper "Set it forget it" versus: "Set it up, apt-get build bunch_o_crap or pkg_add will_this_work && ./Bitch -n sil irc.somewhere.net to get help.

Below are some tried and true links with information for EMERALD and similar systems (C-SCIDS), etc.

http://www.ll.mit.edu/mission/communica ... darpa.html
http://citeseerx.ist.psu.edu/viewdoc/su ... .1.59.8506
http://www.sans.org/security-resources/ ... al_ids.php
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Sep 21, 2011 2:38 pm

Re: Commercial IDP vs Suricata or Snort?

mambru wrote:I don't agree that you are guaranteed to receive quicker quicker updates from a commercial solution, you can write your own rules with open solutions. Yeah, maybe you cannot equal the volume of rules produced by a whole team dedicated to that effort. Or for example, a solution like Tipping Point benefits from a program like ZDI in a way they can offer protection against 0-day vulns sooner. But how can you be sure those rules are effective enough? Once you learn what exactly the rule is proptecting you from, you may bypass it (I've done it a couple of time), so you are at the mercy of the vendor to fix/tune up those rules, while with the open solutions you can do it by yourself.


Mambru, a lot of the commercial guys criss-cross through other vendors like Arbor-Networks, Shadowserver, etc., to get data from. They have entire departments to do so. I can guarantee you that unless a company like Arbor-Networks decided to do something pro-bono, the signatures on say Juniper or Tipping Point would likely Eclipse those found on say BleedingEdge's alerts. You also have to remember, how many Fortune 500s or better are running Suricata versus Jun or Tipping. Collective-wise, you'd be better off with Juniper to save money and time. LEARNING WISE you'd be better off with Suricata however, in a REAL TIME mission critical, an environment is at the mercy of the admin understanding A LOT. This includes exploits, attack sources, destinations, etc., which is a lot to rely on from one person. In a small environment sure, +50 machines I wouldn't waste my time.
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Wed Sep 21, 2011 4:02 pm

Re: Commercial IDP vs Suricata or Snort?

how many Fortune 500s or better are running Suricata versus Jun or Tipping.


http://investor.sourcefire.com/phoenix.zhtml?c=204582&p=irol-newsArticle&ID=1293248&highlight

From 2009: 80% of Fortune 100, 42% of Global 500 used Snort (can we trust this numbers?). Not a bad number for an open solution. Of course Suricata does not have a percentage like those since it's been only one year since the release of the first stable version, hopefully one day it will be there ;)

If you want to rely on a commercial service to receive rules, you have Emerging Threat Pro and VRT. Appliances? Bivio and NPulse are selling them with implementations of Suricata, just like Sourcefire does with Snort. I understand that companies most of the time would rather to have a big player backing them up. I just don't think that commercial solutions are always better than free ones.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Sep 21, 2011 4:26 pm

Re: Commercial IDP vs Suricata or Snort?

mambru wrote:
how many Fortune 500s or better are running Suricata versus Jun or Tipping.


http://investor.sourcefire.com/phoenix.zhtml?c=204582&p=irol-newsArticle&ID=1293248&highlight
I just don't think that commercial solutions are always better than free ones.


1) I never trust quotes from vendors themselves. That's similar to calling Cisco and asking them: "Are you better than Juniper?"

2) I never said "better" I implied you're BETTER OFF. All technologies at the end of the day can either prevail or fail based on whomever is implementing them.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Wed Sep 21, 2011 4:33 pm

Re: Commercial IDP vs Suricata or Snort?

As usual, some great banter! Thanks!
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Wed Sep 21, 2011 7:12 pm

Re: Commercial IDP vs Suricata or Snort?

Well, I tried to answer this from the professional perspective, not taking into consideration the "hacker" role. Suricata and Snort offer more granularity than Juniper in a different way. If you're in an environment that you're allowed to mix and match your own lab based learning/techniques into the overall security equations, there is a lot more you can do for the "hacker" factor.

For example, Juniper and others will usually give you an appliance. It is usually going to be a variant of Linux (embedded or otherwise) in the case of Juniper, expect a modified BSD. You WON'T be able to do much on the machine itself as it is going to be highly optimized by the vendor.

On a Suricata/Snort deployment, you're likely making a machine from scratch. This enables you to do whatever you want to do on that same box. One of the things I did when I was securing and deploying Asterisk PBXs was, using expect, shell, perl and others to do all sorts of cool things. Things I could never do on say Cisco Call Manager, Avaya, etc.

So what I would do would be strip down OSSIM (now Alienvault) using OSSEC, p0f and other tools, I would have it do some nifty automation. For example, on the PBXs I would make triggers to be detected by Snort. If a trigger occurred, I could then (on the same system) run any application I had including the ones I would make on my own. This allowed me to do some really cool things for the hacker factor. Because in this environment (VoIP) there really isn't any kind of Toll/VoIP based IDS/IPS, I made my own (VTIPS http://www.infiltrated.net/asterisk-ips.html).

So don't get me wrong, I love open source based tools, they have their place however, it all boils down to the environment you're in, your management, etc.
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Thu Sep 22, 2011 8:16 am

Re: Commercial IDP vs Suricata or Snort?

You gave me good ideas sil
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/

Return to Incident Response

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software