[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] question :: interest in testing SENF preprocessor for Snort?
From: "Beasley, Cam" <cam () utexas ! edu>
Date: 2013-07-26 3:46:56
Message-ID: 644096D5-8AAD-4E77-A7D3-92206B51C097 () utexas ! edu
[Download RAW message or body]
hi Joel --
we've found it works 1000% better.. it doesn't crush you with false positives and \
doesn't waylay your sensor if your flows are 10-20Gbps.
we've deployed this across a state-wide network serving over 800,000 endpoints we \
monitor. the major egress points average 15Gbps and burst upwards of 40Gbps.. the \
false positive rate for SF's solution is in the 100K/day range for us.. our \
preprocessor is in the couple dozen range/day and it is extremely accurate. we've \
been using this since 2007 to serve higher education institutions, hospitals, \
municipalities, etc.
we believe it is proven and ready for others to test drive.
~cam.
On Jul 25, 2013, at 2:24 PM, Joel Esler <jesler@sourcefire.com> wrote:
> How is this different than the Sensitive Data preprocessor that is already
> built into Snort?
>
>
> On Thu, Jul 25, 2013 at 2:44 PM, Beasley, Cam <cam@utexas.edu> wrote:
>
> >
> > all --
> >
> > we've developed what we think to be a very efficient and effective Snort
> > preprocessor for identifying SSNs, CCNs, MRNs (Medical Record Numbers), and
> > other personally identifiable strings of data and we are wondering if there
> > are any others who might be interested in testing this out with us.
> >
> > we've been running this on Sourcefire appliances serving networks that
> > steadily operate at 20+Gbps since 2007 with great results.. we've managed
> > to keep the false positive rate extremely low and the preprocessor adds
> > minimal load to the sensors -- plus it outperforms the existing snort dlp
> > preprocessor by good deal.
> >
> > we're looking for a few testers who we would extend a customer license to
> > at no cost. we'll help you get the preprocessor setup and we'd simply ask
> > that you tell us how it performs for you.
> > we'd like to get at least two open source snort users and one Sourcefire
> > user.
> >
> > feel free to contact me offline if you have questions or would like to
> > participate.
> >
> > thanks,
> >
> > ~cam.
> >
> >
> >
> > Cam Beasley
> > Chief Information Security Officer
> > Information Security Office | UT Austin
> > cam@utexas.edu | 512.475.9476
> > http://security.utexas.edu
> > ===============================
> >
> >
> > ------------------------------------------------------------------------------
> > See everything from the browser to the database with AppDynamics
> > Get end-to-end visibility with application monitoring from AppDynamics
> > Isolate bottlenecks and diagnose root cause in seconds.
> > Start your free trial of AppDynamics Pro today!
> > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
>
>
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
["smime.p7s" (smime.p7s)]
0 *H
010 + 0 *H
[00r 'znn0
*H
0o10 USE10U
AddTrust AB1&0$UAddTrust External TTP Network1"0 UAddTrust External CA \
Root0 050607080910Z
200530104838Z010 UUS10 UUT10USalt Lake City10U
The USERTRUST Network1!0Uhttp://www.usertrust.com1604U-UTN-USERFirst-Client \
Authentication and Email0"0 *H
0
9}A;bF7`u9eJGHjM5BI/|1Nd.)բdąQ5yNh{zɤ2O0 \
nFxoY^/m/묡j.g5yiF v:z'[=s"HaLi.1 \
,CZqYں gT:
wetbh~GeMW(t40b0, 00U#0z4&&T$T0Ug}ĝ&p KPH|=n}0U0U00{Ut0r08 \
6 42http://crl.comodoca.com/AddTrustExternalCARoot.crl06 4 \
20http://crl.comodo.net/AddTrustExternalCARoot.crl0 *H
؉o( ~TBk \
mאfyCqovE7=YxFz[r-F)Iy<mmhOr6j5PρmUY0Jm \
dI|6i9ZK: D/p%ZTļms2,雄$-zhP?Mg.;N
&DeMR>k2\Al] Xm=G. ̎00 K+Ȳ.0
*H
010 UUS10 UUT10USalt Lake City10U
The USERTRUST Network1!0Uhttp://www.usertrust.com1604U-UTN-USERFirst-Client \
Authentication and Email0 101202000000Z
200530104838Z010 UUS1*0(U
!The University of Texas at Austin1$0"UInformation Security \
Office1*0(U!The University of Texas at Austin0"0 *H
0
aH 6!<'_< mg'6$>CbN[
.&X,8
~W R~rߡa
ĞO+p$(>7x)<6Ny_prXcf&D/^.մZn"6O?%'[ \
mr+v,ЯטXFGo-S̸I6=J6mRwXU<, S0O0U#0g \
}ĝ&p KPH|=n}0U,M'8 c|0U0U0 0U \
00+1$0XUQ0O0M K \
IGhttp://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl0t+ \
h0f0=+01http://crt.usertrust.com/UTNAddTrustClient_CA.crt0%+0http://ocsp.usertrust.com0
*H
7$*Ȝ7'JHϊSӽʹyBRD{s5NR0âӎkW+h3ŌEM \
<-145L H>n-h#C8lF|}S(/$.J;&Nlčo?Ra!3
5W&,
4\=6DFb`hfܳu^;zҟʲ
I0JPAQ("Qje700 R$jkwx>q/g?0
*H
010 UUS1*0(U
!The University of Texas at Austin1$0"UInformation Security \
Office1*0(U!The University of Texas at Austin0 110419000000Z
160418235959Z010U787121*0(U
!The University of Texas at Austin10U 1 University Station10 UTX10
UAustin10 Uus10UCam Beasley10 *H
cam@utexas.edu0"0
*H
0
z{V]sjLtnXN+מtrg>f%e
A-h:BV=R/uVoc8$/<*߷ \
29l~nK3 +]-^Sh 77,_h)6wd+uI-L
ts[!ҫtxr5Hp.Que+iMb8ˈU5K瞧 \
) 00U#0,M'8 c|0U4#~gj<-+o[R=E0U \
0U0 0U%0++0XU \
Q0O0M+1$0=0;+/https://idm.utsystem.edu/utfed/InCommonCPS.html0GU@0>0< \
: 86http://crl.utexas.edu/TheUniversityofTexasatAustin.crl0v+j0h0B+0 \
6http://crt.utexas.edu/TheUniversityofTexasatAustin.crt0"+0http://ocsp.utexas.edu09U200 \
+7 cam@utexas.educam@utexas.edu0
*H
k9[UekyUt3/_B]r^5Ψ'ɳϚ:7(/exn3IoDS二6|:@'#PW,h= udBayA\ \
߇~>5v3Jt=&DNS\e я#8d$
i]t.Luv`!źqH3v buk<| M?{='D \
#k̉=d(!100 010 UUS1*0(U !The University of Texas at \
Austin1$0"UInformation Security Office1*0(U!The University of Texas at \
AustinR$jkwx>q/g?0 + 0 *H 1 *H
0 *H
1
130726034655Z0# *H
1{}B0 +710 010 UUS1*0(U
!The University of Texas at Austin1$0"UInformation Security \
Office1*0(U!The University of Texas at AustinR$jkwx>q/g?0*H \
1 010 UUS1*0(U !The University of Texas at \
Austin1$0"UInformation Security Office1*0(U!The University of Texas at \
AustinR$jkwx>q/g?0 *H
,{ýQo!.K#GH29rEAkVݕ<nygAaSkD(M\k(Lb+N{~=̼͐KiD \
Gb\R&y~V]XLm>ٝ^JX.Q0kƹGl/^jAR#|rpFc3~tL<̀ \
0OJY0zboVu2dMw,8Y+(F
[Attachment #4 (--===============8454163347292001207==)]
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic