Matasano Chargen - Latest Comments in Pro-Forma ‘06 Punditry Results

Re: Pro-Forma ‘06 Punditry Results

W.L> — Thu, 13 Mar 2008 03:17:44 -0000

What is APE? I only know OSSIM....

Re: Pro-Forma ‘06 Punditry Results

Hikaru — Wed, 14 Mar 2007 16:37:40 -0000

We're using OSSIM in out company. I think it's a good replacement of commercial SIMs, although it hasn't got so much report funcionality.

you can take a look at http://www.ossim.net to check it.

Hkr.

Re: Pro-Forma ‘06 Punditry Results

Dominique Karg — Sun, 21 Jan 2007 16:41:51 -0000

An interesting thread,

I'm sure we're lacking marketing but at least I'd like to know why:

#4 OSSIM

is not an option, after almost five years of development.

You get:
- Correlation engine.
- Simple correlation engine language (xml).
- Lightweight plugins.
- Cross correlation (Snort-Nessus)
- Various anomaly detection engines (OS, Mac, Services, IP/TCP/UDP/...)
- Website provides more information.

I'd be glad to provide more information, samples and documents in case I get the opportunity.

Dominique

Re: Pro-Forma ‘06 Punditry Results

Thomas Ptacek — Wed, 03 Jan 2007 17:34:53 -0000

I think we need to get a spreadsheet of the vulnerabilities and work them out by application and impact. I'm also probably giving the research community credit for things that turn out not to be reliably exploitable on XPSP2. I also get the sense that this has been a rough year for browsers in general and IE in particular.

Re: Pro-Forma ‘06 Punditry Results

PaulM — Wed, 03 Jan 2007 17:16:36 -0000

Tom-
On #1 - why didn't the # of M$ vulnerabilities drop? Is it too early (i.e. you'll repeat this prediction for 2007 and declare you were just ahead of the curve) or are their investments in SDL and security audit not working?

Re: Pro-Forma ‘06 Punditry Results

Bamm — Wed, 03 Jan 2007 15:39:24 -0000

From the orignal 2006 Prediction post:

"Expect a mainstream open-source
combination of Argus and Sguil to own the security management
conversation next year."

Sorry to let you down. I'd take half the blame except adding Argus to Sguil doesn't a SIM make (http://infosecpotpourri.blogspot.com/2006/01/sg...).

Also, Sguil has used SANCP (or a similar app) to provide flow/connection/session data since its inception. I've done a bit of research and haven't been able to find a compelling reason to create some type of hook between Sguil and Argus (yet).

OSSEC (http://www.ossec.net) is starting to get more exposure though and as much as I despise the term SIM, it is starting to fill that void (even if it is labeled as a HIDS). Here is a list of log types it supports: http://www.ossec.net/wiki/index.php/Supported-Logs.

Re: Pro-Forma ‘06 Punditry Results

toby — Wed, 03 Jan 2007 15:32:57 -0000

On #4, I'd agree with Anton partially (though I think log format support is less of an issue) but also point out that really what most companies are buying are the rules that are used by the SIM and the integration with ticketing systems, oh and the GUI. There are a couple good open source correlation engines out there (APE & OSSIM just off the top of my head) but having the other pieces is just a huge pain in the ass.
I can't tell you how many really cool ideas I had pitched by VCs for a SIM based on a really neat technical approach. None of them figured in the issue of integrating with all the ticketing systems or building a good GUI with functional workflow (see BASE & SGUIL vs. ACID in terms of workflow clarity), etc...
I don't expect to ever see a complete open source SIM. The correlation engines have existed for a couple years though.

Re: Pro-Forma ‘06 Punditry Results

Daniel Cid — Wed, 03 Jan 2007 15:03:47 -0000

As far as #4 goes, I think we have something very close to a "credible" open source sim. OSSEC is being used more and more as a commercial SIM replacement and we currently support multiple log formats:

http://www.ossec.net/wiki/index.php/Supported-Logs

Most people think of it as an HIDS only, but its log analysis and correlation options are side by side with most commercial solutions (and even better most of the times).

Link to it: http://www.ossec.net

Thanks,

Daniel Cid

Re: Pro-Forma ‘06 Punditry Results

Anton Chuvakin — Wed, 03 Jan 2007 14:12:51 -0000

Sorry, I have to snicker at the miserable failure of #4 prediction :-) Just as I predicted.

"What’s taking you guys so long?"

Same as what I mentioned in our discussion thread: ongoing maintainance and log source support.

Re: Pro-Forma ‘06 Punditry Results

dre — Wed, 03 Jan 2007 13:17:27 -0000

MARS sold almost "too well" this past year. I expect a backlash against Cisco for MARS, CSA/CCA, and NAC in 2007. Especially when companies start to renew their SMARTNet contracts and realize the utter lack of value any of those products provided.

NAC was countered with http://kevin.sf.net

CSA was countered by Slipfest at CanSecWest

MARS detected one script kiddie running land.c until they graduated from idiot university and ran snot/sneeze/etc

combine the usefulness of Cisco IPS and it appears we have a winner for "most silicon snake-oil in 2006".