I spent 2h to visit the local seminar "The Future of IDS" (http://www.sourcefire.com/aboutus/seminars.html).

Spoke with Marty, but frankly didn't find anything you should write home about.

The short is just traffic capturung/monitoring system, allowing you to define very flexible set of rules (it comes with 2K+ default rules) and to log certain traffic. Anything that looks suspicious can be logged. The system can examine the TCP/IP headers as well as there are tons of protocol disassemble, so you can look inside every protocol. Some sample rules log logging are: log all packets with IP Sequence ID=XXX or log all packets for IP that tries FTP logging packets with account != anonymous. Also you can tag some IPs or connections for some period (like 20 sec) and monitor them more closely with different set of rules. Default rules can be updated online, so few hours after some attach is started over the inet (and it's probably already over) you can download a rule for snort that can show you that this attach is present on your network -- very useful. As far as I understand there is no way to detect brand new attack, unless the attacker is not stupid enough to send some mal-formed TCP/IP packet (with wrong CRC or serial number). The bottom line is that you can see indication only for already know attacks. Also there is no real interface to filter the bad guys based on some events (you have to add your own interface to your router/firewall)

Most of the time Marty was talking about their product line of hardware they are selling (basically normal 1/2U boxes with installed snort, mysql, apache and some web-based interface). Nothing interesting -- just the appliance has fast enough processor to run the packet inspection, analyses and rule matching in wire-speed (which is not very easy task for 1G version, imagine to apply 2K rules with regex, etc over 125Mb/sec data stream.)

The most interesting part from seminar was some advanced network scanning feature they are planning, that will allow you to scan regularly your LAN (like running nmap -v my_lan -sS -O) and adjusting the rules in short in depend on found services running (for example it will monitor the FTP traffic to host XXX only if there is a FTP service there). Also all traffic to ports that are not open will be tagged.

The other interesting thing was detection of anomalous behavior. For example if you uplink is usually loaded 300Kb/sec and for some time it become loaded 70Mb/sec (which happens very often in al.nc and nobody knows why), or when your SQL server start sending traffic directly to the inet to trigger some event.

Competitors/Links:

• http://www.latis.com
• http://www.arcsight.com/
• http://fortinet.com/
• http://www.astaro.com
• http://www.guarded.net/
• http://www.netforensics.com/
• http://www.demarc.com/
• http://securityresponse.symantec.com/avcenter/security/Content/Product/Product_NP.html
• http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/
• http://www.intrusion.com/
• http://www.iss.net/products_services/enterprise_protection/
• http://www.cs.colorado.edu/~tor/sadocs/tcpip/pf.html