Snort mailing list archives
What's the fuss about string matching ?
From: Pawel Rogocz <pawel () rogocz com>
Date: Mon, 27 May 2002 12:46:30 -0700
Hi, I saw some posts recently, about making the next release of snort more effective, by making improvements to the string matching engine. I would like to hear some real stories where string matching helped detect intrusion. I am not talking about people running honeypots. I would like to hear from people with real networks like ASPs. I have troubles seeing any use of string matching in IDS because of two factors: 1. Lots of traffic is encrypted these days. 2. What's the point in watching for a known vulnerability, if you know your system is not vulnerable ? Do you want to be woken up at 3 a.m. because someone sent you a malformed packet ? Given the fact that all alerts in snort are based on known vulnerabiliies, you should patch your systems or take them off-line. Generally string matching is waste of CPU cycles, better used somewhere else. How about detecting (D)DOS ? It would be more effective for an IDS to alert when a succesful intrusion was detected, but in many environments this can easily be done with a sniffer like tcpdump. thanks, Pawel _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What's the fuss about string matching ? Pawel Rogocz (May 27)
- Re: What's the fuss about string matching ? Jason Haar (May 27)
- Re: What's the fuss about string matching ? Andreas Östling (May 27)
- Re: What's the fuss about string matching ? Frank Knobbe (May 28)