IDS mailing list archives
RE: Protocol Anomaly Detection IDS
From: "Sonit Jain" <sonit () gajshield com>
Date: Wed, 12 Feb 2003 15:40:36 +0530
Hi, Has anyone actually got snort to detect protocol misuse for HTTP,FTP or SMTP i.e. ensuring that packets to these protocols adhere to the RFCs. I tried to find rule sets to detect protocol misuse, but was not able to do so. Any pointers will definitely help. Thanks, Sonit Jain -----Original Message----- From: Frank Knobbe [mailto:fknobbe () knobbeits com] Sent: Wednesday, February 12, 2003 1:47 AM To: focus-ids () securityfocus com Cc: slyph () alum mit edu; Martin Roesch Subject: Re: Protocol Anomaly Detection IDS On Mon, 2003-02-10 at 20:04, Martin Roesch wrote:
Just as an FYI, Snort can do protocol anomaly detection, through it's rules-based engine, it's decoder and in its preprocessors. Protocol anomalies mean different things to different people, of course, so it depends on what you're really looking for. People commonly think of Snort as a "signature based" IDS only, it's actually capable of a lot more than that...
In addition, besides signatures and protocol anomaly, Snort can also be used as a behavioral IDS. I have a habit of stressing the fact that after a Snort install/setup in your network, one should strive to craft additional Snort rules that define abnormal traffic, such as a web server establishing connections to the outside, etc. Snort is very capable of detecting abnormal traffic that way, and through it's detailed logging can give you clues to what's going on). Case in point: Just the other day, an engineer of a network vendor set up a laptop on the perimeter of a company to do some maintenance, and left the laptop hooked up overnight. Unfortunately, it was running an anonymous-writable FTP server. Companys signature based IDS didn't complain, but company's statistical IDS alerted to an FTP server which wasn't of much concern to the company since they knew that this IP was used by that laptop. Our Snort based appliance however picked up on the fact that there was a) an abnormal, rogue FTP present, and b) that that laptop was receiving parts of a Harry Potter movie in AVI form :) indicating an unsecure system (which our test confirmed). So, Snort is not just a signature and anomaly based IDS, it is also a behavioral IDS. Regards, Frank
Current thread:
- Protocol Anomaly Detection IDS Michael L. Artz (Feb 05)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 11)
- Re: Protocol Anomaly Detection IDS Frank Knobbe (Feb 11)
- RE: Protocol Anomaly Detection IDS Sonit Jain (Feb 12)
- Re: Protocol Anomaly Detection IDS Frank Knobbe (Feb 11)
- Re: Protocol Anomaly Detection IDS Yaakov Yehudi (Feb 11)
- <Possible follow-ups>
- RE: Protocol Anomaly Detection IDS Graham, Robert (ISS Atlanta) (Feb 06)
- RE: Protocol Anomaly Detection IDS Adam Powers (Feb 06)
- Re: Protocol Anomaly Detection IDS Jordan K Wiens (Feb 06)
- RE: Protocol Anomaly Detection IDS Andrew Plato (Feb 10)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 18)
- Re: Protocol Anomaly Detection IDS Robert Graham (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots Lance Spitzner (Feb 20)
- Re: Protocol Anomaly Detection IDS - Honeypots dreamwvr () dreamwvr com (Feb 20)
- RE: Protocol Anomaly Detection IDS - Honeypots Rob Shein (Feb 20)
- Re: Protocol Anomaly Detection IDS Robert Graham (Feb 20)
- Re: Protocol Anomaly Detection IDS Martin Roesch (Feb 11)