McAfee Now Highlighting Snort Signature Integration

McAfee is aiming towards bridging the Snort barrier by fully integrating with Snort signatures in order to get better community signatures.  The marketing campaign can be found on a special site.  For years McAfee Network Security Platform, formerly IntruShield, boasted that it was above Snort and its commercial implementation, Sourcefire.  The product team refused to integrate Snort signatures and only did so by the request of their Government customers.

The logic of the IntruShield team was that signature-based intrusion detection was inferior to application-aware analysis.  This battle was not a one-sided affair.  There are still sections of the Snort code that remain to handle application awareness.  I feel that both sides were wrong. Marketing verbiage, not technical reality, is how the industry perceives detection.  It is obvious that snort signatures can be written to detect anomalies and behavior.  Calling snort signature-based has been an injustice, done to insult and belittle in order to sell you a different approach.

Irrelevancy of Application Aware

Why is application awareness less relevant today? Was it ever truly relevant? The answer to that changed with mobile devices and the leveraging of HTTP as a common protocol.  For defending servers, the application-aware IPS is king.  But, when defending the user there is only mail, HTTP and DNS that really matter right now.  Its no longer application aware that’s important; it is HTTP/DNS aware.

Once, you strip off marketing there is little deep-dive difference between Snort and other IDS/IPS when it comes to these protocols.  The complexity of mobile code (JavaScript/Java) that is an issue for another blog.

Ask the important question, “What makes one IDS/IPS better than another?” The answer will include its knowledge-base.  For Snort, these are its preprocessors and its signatures.  The community has demonstrated little ability to write long lasting detection preprocessors, but people have demonstrated that crowdsourcing signatures is awesome.

Processes are well developed to write, test and deploy Snort signatures.  The Government has theirs, Sourcefire has VRT and then there is Emerging Threat Pro.  Making these paid subscriptions has added quality control and reliability.  By standardizing on the Snort format, these and other signature writing organizations do not need to repeat their work.

What this Means

Wrapping this up with McAfee, the move by McAfee to incorporate the Snort signature set is needed.  McAfee has had Snort rule usage before.  It did not push for its performance on Snort signatures was limited.  I am guessing that it is now better.  There are also a number of features that McAfee NSP has that Snort/Sourcefire does not.  And integrating the Snort signature format into NSP takes one more reason not to buy McAfee go away.  In short this is a good move.  And the increasing the importance of Snort signatures is good for the Snort community and Cisco.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: