Join 3,497 readers in helping fund MetaFilter (Hide)


A subscription service for professional grade protocol signatures?
December 13, 2011 10:49 AM   Subscribe

A subscription service for professional grade protocol signatures?

I need an initial dump followed by an ongoing stream of current protocol signatures. They need to be extremely high quality, way beyond anything that ethereal et al. use.

I don't particularly need heuristics or decoders, but I wouldn't say no.

What I emphatically *don't* need is a code module that does the recognition for me.

Is anyone aware of a company out there selling this service? It seems like a golden startup opportunity.
posted by Tell Me No Lies to Computers & Internet (6 answers total)
 
protocol signatures as in what ? Wire-level ? Packets ? Where in the OSI ?

(And it's wireshark, not ethereal, has been for at least 4 or 5 years, and it does know a lot of protocols, more than I thought it would. Heck, it knew DIS packets).
posted by k5.user at 11:49 AM on December 13, 2011


And it's wireshark, not ethereal,

Be glad I didn't say tcpdump. I have trouble keeping up with these new-fangled graphical tools.

Ideally I'm looking for layer 2 and up, but layer 3 will do fine.

Wireshark nee Ethereal nee tcpdump has a fine collection of signatures, but it doesn't have a pedigree I can hang a $100 million dollar deal on.
posted by Tell Me No Lies at 12:33 PM on December 13, 2011


What do you mean by signature as separate from recognizer?

I work for an equipment vendor in the security space. For a small deal like that you will likely not find a good cost effective solution that is materially better than those that can be extracted from wireshark. That is usually done as an up front fee and fraction of revenue and the latter they will evaluate.
posted by rr at 1:11 PM on December 13, 2011


>What do you mean by signature as separate from recognizer?

Signature: simple byte pattern that can be used to identify a packet flow
Heuristic: set of conditions (signatures, packet sizes, inter-packet timing) that can be used to identify a flow

Basically these are what you feed into a recognizer so it can do its work.

It just strikes me that every company that is doing DPI needs signatures and heuristics, and they *have* to updated a lot more frequently than code modules. As far as I've been able to find so far, all of those companies have their own research teams doing the work.

A company that just created signatures and heuristics and was able to release monthly updates would likely find a large number of customers. Including me. :-)
posted by Tell Me No Lies at 1:39 PM on December 13, 2011


I'm a software engineer for a vendor of IPS/IDS equipment. I work on the user interface, not the stuff you're interested in, but I definitely know our product does flow tracking and protocol examination and validation. Not only are those features and their delivery system a large part of our secret sauce in terms of what differentiates us from competitors, but if we sold those separately then we wouldn't sell as much hardware, which means we can't sell as many (high-margin) support and maintenance contracts.
posted by xbonesgt at 4:33 PM on December 13, 2011


xbonesgt: My company overlaps with yours in this area. I would not expect your company to be a vendor for this but rather a customer. As far as signatures go the secret sauce is only about 20%; It makes sense to outsource the rather mundane 80% that is basically just table stakes.

However, the results of my search here and elsewhere have been resolutely negative. I guess this will have to be my next startup. :-)
posted by Tell Me No Lies at 10:50 AM on December 22, 2011


« Older I've got the DVD of Hedwig and...   |  How do I spot and account for ... Newer »
This thread is closed to new comments.