IDappcom Rules, PCAPS, Traffic Files & Library
IDappcom PCAPs (Packet CAPture)
Our PCAP file contains the stream of data packets that computers send to each other on a network to communicate. Idappcom can provide unencrypted PCAPs that contain examples of malicious actors exploiting vulnerabilities which can be used to trigger our security rules, as well as ordinary benign traffic for configuration testing purposes.
IDappcom Traffic Files
Idappcom provide our PCAP files in a proprietary encrypted file format, KAR, which prevents overzealous virus scanners from inspecting and deleting them. These files are replayed using our TrafficIQ software, which can be used to determine the threat response of your corporate IDS and IPS (Intrusion Detection/Prevention Systems) as well as the routing configuration of your other networking infrastructure.
IDappcom Security Rules
Most of idappcom's PCAPs have one or more associated SNORT signatures. These 'security rules' are written in the standard SNORT syntax, and are used to detect the exact vulnerability contained in the traffic file. Our rules can be provided as a text file, or in a MSAccess database, and can be loaded straight into Snort compatible IDS and IPS system as is, requiring minimal additional configuration.
IDappcom Library
The complete Idappcom Library contains our full complement of PCAP/KAR files and SNORT security rules, and includes additional metadata describing each vulnerability (ie filename, threat name, description, publish date, CVSS scores, severity rating, attack type, category, impact, protocol, and other external references). It can be made available as a MS Access database, or via JSON API.
Why IDappcom Rules?
Our Rules are based on real live exploits, Expert Research, Intelligence, and Years of Experience
Accurate and appropriate Updates
Idappcom rules are researched by a dedicated team who prove the exploit exists, works and is in the wild, then they are published to select vendors to include in their device updates. We can assure you that not all rules are published by the vendors, mainly due to performance constraints, and not all vendors use our rules of course. So, to have complete peace of mind you need Idappcom rules management and our pen testing tools to reduce your risks.
The issue is defining and understanding the difference between actual exploits, and malware, versus blacklists. When you get that you can start to see the effectiveness of the rules against the usefulness of the blacklists. You need both, but you need to manage them both and not get into a numbers game.
Complete Intelligence
Our unmatched library of current and historical exploit information (over 21,000 actual proven exploits), is constantly updated with new PCAPs. It is this testing experience used by all the top IPS/NGFW vendors that gives us a complete platform for building our comprehensive detection and prevention rules. It is our IQ that provides the basis for the rules, and the feedback from the top vendors that helps us to hone those rules to perfection.
Thorough Coverage
In addition to offering the most complete exploit detection and prevention coverage, Idappcom includes protection against not just the exploitable vulnerabilities (as opposed to vulnerabilities that have no exploit!), but the many variants and morphing of those exploits making it a full-featured rule set. We do not try to guess what an exploit might look like for a vulnerability that really has no exploit. Just look at the informative CVE database and analyse how many CVEs have an exploit, not many.
Idappcom Rulesets work on SNORT®, and many other IDS platforms. With Idappcom you get truly thorough and comprehensive coverage trusted by the top IPS/NGFW vendors in the world.
When comparing the Idappcom Snort ruleset with other prevention and detection options, you'll want to consider questions like:
-
How long the effective life of the Malware is, does today's malware morph into something else the next day?
-
How complete is the other security intelligence, is it volume for volume sake?
-
Does the ruleset protect mainly against malware to get 'impressive' numbers, or does it also cover the actual working exploits that are real security concerns?
-
Can the ruleset run on Snort an on any IDS platform based on these engines?
-
Does your ruleset detect 100% of the real exploits, or only 30% of them?
-
How do you know the ruleset really is detecting an exploit, does your supplier give you the choice of an industry leading pen testing tool and the actual PCAPs to test, tune and refine with?
-
Does your supplier give you a management tool to import rules from multiple sources, edit, copy, create, select according to your criteria validate and filter rules with duplicated functionality?
-
Does your supplier give you the tool to manage deployment for rules over multiple sensors?
When it comes to questions like these, Idappcom ruleset and Easy Rules Manager is the clear choice. When testing Snort with actual PCAPs from real live exploits, the Idappcom ruleset increases the detection rate, over other popular rules, by 61%.