Published on March 22nd, 2011 | by NJ Ouchn0
Razorback v0.1.5 released
Razorback is an Open-Source Framework for an intelligence driven security solution.” Okay, okay, what does that mean?
Razorback is a system that detects and decodes, well, just about anything you need it to. Following that, it has the ability to then block and alert on that activity. So, for example:
- Bad PDFs? Decoded, Blocked?
- Bad Word Documents? Powerpoint Documents? Decoded, Blocked?
This framework is aimed primarily at these Client based attacks, and, dare I use it? Advanced Persistent Threat (APT). It was born out of necessity and a discussion with the VRT during a panel they participated in last year about detection. The community asked for something to be able to perform a function like this, and well, here it is. Better. There is nothing to combat these threats, so Sourcefire created one.
The new Razorback platform developed by Sourcefire is basically a tool for tying together the various layers of detection within an organization, including antivirus, IDS/IPS, Web and email gateways, and firewalls, to use in concert to catch and examine potential threats and create mitigations on the fly. Its creators say it’s not the same thing as a security information management tool, however, because it does more than capture events: “SIM collects events in a vacuum: It takes an AV event and says this host is infected by a virus … It doesn’t know anything about that piece of malware on the box,” says Matt Watchinski, senior director of Sourcefire’s vulnerability research team.