Re: [Snort-devel] Re: Re: Snort exploits

[Fyodor <fygrave () tigerteam net>]

0xcafebabe () hushmail com <0xcafebabe () hushmail com> spoke:
> On Wed, 17 Apr 2002 04:07:31 +0000, Dragos Ruiu <dr () kyx net> wrote:
>
> > Basically all the chaffing at the IP and TCP level is detectable as those 
> > should not be normal conditions. Look to snort cvs over the next few days
> > for solutions to these issues...
>
> That's good to know. But why has it taken 3 months to fix? I wonder what I've been missing during those 3 months. :(

You still are missing the stuff. A Network based IDS concept is by
design not capable of capturing %100 of all potential threats.  The
place of NIDS should be made clear in your network security defence
scheme: it will alert you in most of the cases if kiddies poke around
your network, but may not even notice someone who is seriously trying to
get in unnoticed. At the end of the day the burglar alarms keep away
only amateurs. 
 There are heaps of things which a dedicated intruder could play with:
application specific bugs, encrypted channels (ssl, ssh, vpn, ..),
various tcp/ip stack specific issues (tcp stack overlaps which are
handled differently by each TCP/IP stack, frags, transmission timeouts,
corrupted datagrams, ttl games), you never know how broken a TCP/IP
stack or an application is. Even a perfect NIDS would not be able to
handle all these things real time according to each of the protected
systems specifics. If you were not aware of that, it's time to stop
whinning and do some research before complaining. Traffic normalizers,
ssl accelerators and other kind of similar stuff is what you may be
looking into for help. 
After all, an IDS would just tell you that they 0wn you, but they still
0wn you, if they can!

Hope it makes things a bit more clear.

-FY
-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1