RE: Snort vs Hogwash vs bait future

 Hogwash actually has been out longer, folks just started hearing about it around that time.
 Bait N Switch currently uses Snort engine (with the snort patch) and the functionality _is_
 currently built into the new H2 engine. We aren't an IPS.. so as of right now we don't need our
 own engine. The main page on [1] tells you what exactly the project aims for. Here is a snippet
 directly from our site.

"Project Definition: The Bait and Switch Honeypot is a multifaceted
attempt to take honeypots
out of the shadows of the network security model and to make them an active participant in
system defense. To do this, we are creating a system that reacts to hostile intrusion attempts
by redirecting all hostile traffic to a honeypot that is partially mirroring your production system.
Once switched, the would-be hacker is unknowingly attacking your honeypot instead of the real
data and your clients and/or users still safely accessing the real system. Life goes on, your data
is safe, and you are learning about the bad guy as an added benefit. The system is based on snort,
linux's iproute2, netfilter, and custom code for now. We plan on adding additional support in the
future if possible."  

 We plan to add support for other OS'es as well as prelude in the NEAR future... Whenever our damn
 jobs gives us any free time :-(

 Cheers,
 Alberto Gonzalez

[1] - http://baitnswitch.sf.net/

---


"Success comes to the person who does today, what you are thinking of


doing tomorrow." 
 


-----Original Message-----
From: Shaiful [mailto:shaifuljahari@yahoo.com] 
Sent: Tuesday, April 15, 2003 5:43 PM
To: focus-ids@securityfocus.com
Cc: Jochen Vogel
Subject: Re: Snort vs Hogwash vs bait future


Hi,

FYI, I'm not a developer for any of the IDS/IPS
product but I'm a lame user ;-). I've been following
IDS/IPS technology from their infancy.

First a bit of history. Snort started as open source
project around 1999 and Hogwash started as open source
project around 2001. Bait and Switch (B&S) started
this year, 2003. It looks promissing since we have a
new and shining IDS/IPS every two years! Each of them
really has different focus, depending on the security
direction at that particular time. But, to filter the
noise, and to understand the similarity and the
difference we should go back to basic. What is the
framework that really join everything together? We
could start with Staniford's excellent paper on the
CIDF, a Common Intrusion Detection Framework.  We
could argue that IDS is not an IPS, but really IPS is
just IDS with prevention mode enable.

So, from the framework we can see that each of the
IDS/IPS product can be divided into rather similar
logical modules namely Event, Analysis, Response and
Database Engine. I seems to me now, all these IDS/IPS
is forking in term of analysis engine which can be
shared among all open source IDS/IPS. Unfortunately,
the direction is not really encouraging since Snort
has its own Snort2 engine whereas Hogwash has its own
H2 engine. I think B&S using snort analysis engine,
may be until they figure out how to make their own
analysis engine. 

IMHO, the difference in the same basic analysis
component is not necessary since all of them reading
Do you need help?
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:
Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related securityfocus.com Links
bugtraq
certification
focus-bsd
focus-ids
focus-ih
focus-linux
focus-ms
focus-sun
focus-unix-other
focus-virus
forensics
incidents
libnet
linux-secnews
ms-secnews
pen-test
secpapers
secprog
sectools
secureshell
security-basics
securityjobs
sf-news
vuln-dev
webappsec
Request more information about Pantek
the VERY SIMILAR snort rule file format.  The rule for
might not be identical, but the difference is not
significant. May be we could follow Mozilla direction
where netscape, mozilla and galeon, all shared the
same HTML and standard compliant rendering engine.

My two cents,

Regards,
Shaiful




------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?
 
IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - 
including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. 
 
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids