[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] question :: interest in testing SENF preprocessor for Snort?
From: "Beasley, Cam" <cam () utexas ! edu>
Date: 2013-07-26 3:46:56
Message-ID: 644096D5-8AAD-4E77-A7D3-92206B51C097 () utexas ! edu
[Download RAW message or body]
hi Joel --
we've found it works 1000% better.. it doesn't crush you with false positives and \
doesn't waylay your sensor if your flows are 10-20Gbps.
we've deployed this across a state-wide network serving over 800,000 endpoints we \
monitor. the major egress points average 15Gbps and burst upwards of 40Gbps.. the \
false positive rate for SF's solution is in the 100K/day range for us.. our \
preprocessor is in the couple dozen range/day and it is extremely accurate. we've \
been using this since 2007 to serve higher education institutions, hospitals, \
municipalities, etc.
we believe it is proven and ready for others to test drive.
~cam.
On Jul 25, 2013, at 2:24 PM, Joel Esler <jesler@sourcefire.com> wrote:
> How is this different than the Sensitive Data preprocessor that is already
> built into Snort?
>
>
> On Thu, Jul 25, 2013 at 2:44 PM, Beasley, Cam <cam@utexas.edu> wrote:
>
> >
> > all --
> >
> > we've developed what we think to be a very efficient and effective Snort
> > preprocessor for identifying SSNs, CCNs, MRNs (Medical Record Numbers), and
> > other personally identifiable strings of data and we are wondering if there
> > are any others who might be interested in testing this out with us.
> >
> > we've been running this on Sourcefire appliances serving networks that
> > steadily operate at 20+Gbps since 2007 with great results.. we've managed
> > to keep the false positive rate extremely low and the preprocessor adds
> > minimal load to the sensors -- plus it outperforms the existing snort dlp
> > preprocessor by good deal.
> >
> > we're looking for a few testers who we would extend a customer license to
> > at no cost. we'll help you get the preprocessor setup and we'd simply ask
> > that you tell us how it performs for you.
> > we'd like to get at least two open source snort users and one Sourcefire
> > user.
> >
> > feel free to contact me offline if you have questions or would like to
> > participate.
> >
> > thanks,
> >
> > ~cam.
> >
> >
> >
> > Cam Beasley
> > Chief Information Security Officer
> > Information Security Office | UT Austin
> > cam@utexas.edu | 512.475.9476
> > http://security.utexas.edu
> > ===============================
> >
> >
> > ------------------------------------------------------------------------------
> > See everything from the browser to the database with AppDynamics
> > Get end-to-end visibility with application monitoring from AppDynamics
> > Isolate bottlenecks and diagnose root cause in seconds.
> > Start your free trial of AppDynamics Pro today!
> > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
> >
>
>
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
["smime.p7s" (smime.p7s)]
0� *H
��� 0���1�0 ��+������0� *H
����� �[0�0�r ������'�znn���0
� *H
�����0o1�0 ��U����SE1�0���U�
��AddTrust AB1&0$��U����AddTrust External TTP Network1"0 ��U����AddTrust External CA \
Root0�� 050607080910Z�
200530104838Z01�0 ��U����US1�0 ��U����UT1�0���U����Salt Lake City1�0���U�
��The USERTRUST Network1!0���U����http://www.usertrust.com1604��U���-UTN-USERFirst-Client \
Authentication and Email0�"0 � *H
���������0�
����9}A;bF7`u9eJ�GHjM5�BI/�|1�Nd.)բdąQ5yNh{�z��ɤ2�O0 \
n�FxoY^/m/묡j.g5y�iF �v:z�'[=s�"HaLi.�1 \
,�C�Z�q�Yں gT:
�we�tb�h�~GeMW(t40b0�,�����00���U�#��0��z4&&T�$T�0���U������g}ĝ&p�KPH|=�n}0���U����������0���U������0���0{��U���t0r08 \
6 42http://crl.comodoca.com/AddTrustExternalCARoot.crl06 4 \
20http://crl.comodo.net/AddTrustExternalCARoot.crl0 � *H
����������؉�o(��~���TBk \
mא��fyCqovE7�=Y�x�Fz[r-F��)Iy<m�mhOr�6j5PρmUY0Jm \
d�I|6i9ZK:� D�/p%ZT�ļms2,雄$-zh�P��?Mg�.;N��
&De�MR>k2\Al] Xm=G.� �̎0��0�� �������K�+��Ȳ.0
� *H
�����01�0 ��U����US1�0 ��U����UT1�0���U����Salt Lake City1�0���U�
��The USERTRUST Network1!0���U����http://www.usertrust.com1604��U���-UTN-USERFirst-Client \
Authentication and Email0�� 101202000000Z�
200530104838Z01�0 ��U����US1*0(��U�
�!The University of Texas at Austin1$0"��U����Information Security \
Office1*0(��U���!The University of Texas at Austin0�"0 � *H
���������0�
�����aH 6!�<�'_<� m�g�'6$�>C�b�N[
.&X,�8
~�W� ��R~�rߡ�a
� ĞO+�p$�(>7x)<6Ny_pr��Xc�f&D/^.�մZn"�6O?%'[� \
mr+v,ЯטXFGo-S̸�I�6�=J6mRw�X�U<��,������S0�O0���U�#��0��g \
}ĝ&p�KPH|=�n}0���U������,M�'8�c�|0���U����������0���U������0������0���U� \
��0�0���+����1���$�0X��U���Q0O0M K \
IGhttp://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl0t��+������� \
�h0f0=��+�����0�1http://crt.usertrust.com/UTNAddTrustClient_CA.crt0%��+�����0��http://ocsp.usertrust.com0
� *H
��������� 7��$�*Ȝ7'JHϊSӽʹyBRD{s���5NR0âӎkW�+h3ŌEM \
<-145�L�H>n-�h#C�8lF|}S(/$.J�;&Nl�čo�?Ra!3�
�5W&,
4\=�6DF�b`hf���ܳu^;zҟʲ
�I�0J�P�A�Q("�Qje70�0� ������R$jkwx>q��/g?0
� *H
�����01�0 ��U����US1*0(��U�
�!The University of Texas at Austin1$0"��U����Information Security \
Office1*0(��U���!The University of Texas at Austin0�� 110419000000Z�
160418235959Z01�0���U����787121*0(��U�
�!The University of Texas at Austin1�0���U� ��1 University Station1�0 ��U����TX1�0
��U����Austin1�0 ��U����us1�0���U����Cam Beasley1�0�� *H
� ���cam@utexas.edu0�"0
� *H
���������0�
����z{V]sjLtn�XN�+מtr�g>f%�e
A-h:B�V��=R/�uVoc8$��/<*߷ \
�2��9l~nK3��+]-^�S�h�� 77,_h�)6wd+u�I-L
ts[!ҫtxr5H�p.Que+iMb8ˈU5K瞧 \
)�������0�0���U�#��0��,M�'8�c�|0���U������4#~gj<-+o��[R=E0���U��������� \
0���U������0�0���U�%��0���+���������+�������0X��U� \
�Q0O0M��+����1���$�0=0;��+��������/https://idm.utsystem.edu/utfed/InCommonCPS.html0G��U���@0>0< \
: 86http://crl.utexas.edu/TheUniversityofTexasatAustin.crl0v��+��������j0h0B��+�����0 \
�6http://crt.utexas.edu/TheUniversityofTexasatAustin.crt0"��+�����0��http://ocsp.utexas.edu09��U���200 \
�� +����7��� ���cam@utexas.edu�cam@utexas.edu0
� *H
���������k9�[UekyUt�3/_B]r�^5�Ψ'�ɳϚ:7(/exn�3IoDS二6|:�@�'#PW,h=��u�dB��ayA\ \
߇~>5v3J�t=&DNS\e я#8�d$
i]t.�Lu�v�`!�źqH3v� buk<| M��?{='D \
#k̉=d�(!1�0����0 01�0 ��U����US1*0(��U� �!The University of Texas at \
Austin1$0"��U����Information Security Office1*0(��U���!The University of Texas at \
Austin��R$jkwx>q��/g?0 ��+������ �0�� *H � �1�� *H
���0�� *H
� �1��
130726034655Z0#� *H
� �1���{}B0� +����7��10 01�0 ��U����US1*0(��U�
�!The University of Texas at Austin1$0"��U����Information Security \
Office1*0(��U���!The University of Texas at Austin��R$jkwx>q��/g?0��*H \
� ���1 01�0 ��U����US1*0(��U� �!The University of Texas at \
Austin1$0"��U����Information Security Office1*0(��U���!The University of Texas at \
Austin��R$jkwx>q��/g?0 � *H
��������,�{ýQo�!.K#GH29rEA��kV����ݕ��<nygAaSkD(M\��k(��L�b+N�{�~���=̼͐Ki�D \
G�b\R&y~V�]���XLm�>ٝ^JX�.Q0�k�ƹGl/^�j�AR#|rpFc3~tL<̀ \
0OJY0zbo��Vu�2dMw,8Y+�(F������
[Attachment #4 (--===============8454163347292001207==)]
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic