Compiling Snort Rules 10
Sergei Egorov writes "Good people at Fidelis Security Systems developed
SNORTRAN, an
optimizing compiler for Snort rules. By combining several compilation techniques, SNORTRAN is able to translate a set of Snort rules into a high-performance intrusion detection engine.
SNORTRAN-generated engines are 4 to 6 times faster than Snort's own detection engine; this translates into 3 to 5 overall speedup factor for a complete Snort system (benchmarks are here)."
Re:Snort ? (Score:3, Insightful)
The rules are the signatures Snort uses to detect "attacks" or other activities that match a given rule.
RealSecure 7.0 already does this (Score:3, Interesting)
However, as explained in this white paper [iss.net] you might not even want to try to run Snort rules in RealSecure, because in many cases its own signatures are much more accurate. That's because RealSecure actually does protocol analysis, while Snort just matches patterns. See the paper for details.
Full disclosure: I used to work at ISS [iss.net] and still own a bunch of stock in it. However I wouldn't post this for any of their products (some of them suck). RealSecure is one of their good ones.
Re:RealSecure 7.0 already does this (Score:2)
Attention anonymous coward:
Apples and oranges! RealSecure 6.5 and 7.0 are two completely different beasts. Add to that the pecularities of the Nokia platform and you're off in bananas now.
RealSecure 7.0 is the first version to integrate the "BlackIce" technology ISS obtained when it bought Network ICE last year. RealSecure 6.5 on Nokia has none of that.
Heh heh (Score:5, Funny)
Huh huh.
prelude portsentry (Score:1)
My understanding is that snort is only good at single networks, anything more than that you will want prelude. Any truth to this? ***this was on a prelude irc channel*** What's the real deal slasdot-istas?
Snort rule #2 (Score:1)
If you have to sneeze, hold your damn nose, and look the other way.
---
Excuse my while I powder my nose.