Snort mailing list archives
(no subject)
From: Blake Frantz <blake () mc net>
Date: Tue, 31 Jul 2001 09:56:19 -0500
http://snort.protected.host.com/test-cgi/../[insert your favourite iis
exploit]
This sample triggers the "WEB-CGI test-cgi access" rule, while the real
exploit
doesn't get logged.
In this example, the 2nd exploit would be logged as part of the packet payload captured by the 1st matching rule. I don't see this as a design flaw. IMHO the IDS worked properly; It let you know something "bad" was happening. It's the analysts job to make sense of the events that are actually transpiring...IDS systems are not meant to be managed by an individual or team that merely looks at the alert description and neglects the data within the captured packet. Lets pretend for a minute that Snort *does* check every packet against every rule regardless of match. What prevents h4x0r_b0b from crafting spoofed packets that contains 50 signatures and floods your net with em, effectively filling your IDS logs with a bunch of crap. In the interim h4x0r_b0b attacks one of your servers. Now, Analyst_Jim thinks the IDS broke and starts deleting alerts haphazardly. h4x0r_b0b effectively filled your IDS, hid his attack, and ruined Analyst_Jim's day. Where is the flaw in this scenario? Analyst_Jim wasn't thorough in his work and missed the attack. Same goes with the situation you mention as a "flaw." The IDS isn't the flaw, the flaw resides within the person managing the data provided by the IDS. In any event, I would rather have my IDS report on a one-rule basis than run the risk of h4x0r_b0b crafting the aforementioned packets and sending them in my direction. Blake Frantz A+, CNA, CCNA, MCSE Network Security Analyst mc.net 720 Industrial Drive #121 Cary, IL 60013 phn: (847)-594-5111 x5734 fax: (847)-639-0097 mailto:blake () mc net http://www.mc.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) Андрей Иванов (Jul 02)
- <Possible follow-ups>
- (no subject) cboy (Jul 09)
- Re: (no subject) Blake Frantz (Jul 09)
- Re: (no subject) Dragos Ruiu (Jul 09)
- Re: (no subject) Blake Frantz (Jul 09)
- (no subject) John Johnson (Jul 10)
- RE: (no subject) Bill Gercken (Jul 11)
- Re: (no subject) Phil Wood (Jul 11)
- (no subject) Randall Paige (Jul 12)
- (no subject) Blake Frantz (Jul 31)
- Re: (no subject) Niek Jongerius (Aug 01)
- (no subject) Anupam Bansal (Aug 03)
- Re: (no subject) Dragos Ruiu (Aug 03)
- (no subject) Patrick W Bass (Aug 03)
- (no subject) Scott Phelps (Aug 07)
- (no subject) Delfim Machado (Aug 09)
- (no subject) Erik (Aug 12)
- (no subject) Bill Rogers (Aug 16)
- RE: (no subject) Bill Rogers (Aug 17)
- (no subject) Patrick W Bass (Aug 24)
(Thread continues...)