What's the fuss about string matching ?

[Pawel Rogocz <pawel () rogocz com>]

Hi,

I saw some posts recently, about making the next release of snort more
effective, by making improvements to the string matching engine.

I would like to hear some real stories where string matching helped 
detect intrusion. I am not talking about people running honeypots.
I would like to hear from people with real networks like ASPs.

I have troubles seeing any use of string matching in IDS because of two 
factors:

1. Lots of traffic is encrypted these days.
2. What's the point in watching for a known vulnerability, if you know
your system is not vulnerable ? Do you want to be woken up at 3 a.m.
because someone sent you a malformed packet ? Given the fact that all 
alerts in snort are based on known vulnerabiliies, you should patch your
systems or take them off-line.

Generally string matching is waste of CPU cycles, better used somewhere
else. How about detecting (D)DOS ?
It would be more effective for an IDS to alert when a succesful intrusion 
was detected, but in many environments this can easily be done 
with a sniffer like tcpdump.

thanks,

Pawel


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users