Re: What's the fuss about string matching ?

[Frank Knobbe <fknobbe () knobbeits com>]

On Mon, 2002-05-27 at 14:46, Pawel Rogocz wrote:
> 2. What's the point in watching for a known vulnerability, if you know
> your system is not vulnerable ? Do you want to be woken up at 3 a.m.
> because someone sent you a malformed packet ? Given the fact that all 
> alerts in snort are based on known vulnerabiliies, you should patch your
> systems or take them off-line.
> [...]
> It would be more effective for an IDS to alert when a succesful intrusion 
> was detected, but in many environments this can easily be done 
> with a sniffer like tcpdump.


Sure. But tcpdump alone doesn't cut it. Once you add your scripts to it
to make it alert/email/whatever, and add some additional functionality,
you end up with.... Snort!

I have the feeling you rely too much on the delivered signatures. Don't
do that. Write and add your own signatures. You don't have to get an
expensive anomaly detection system, when you can define what normal is,
and write your Snort rules to cover the abnormal stuff. For example, you
should create a rule that alerts you for any connection attempt
originating from your web server (except for cc card processing or other
known stuff). Web servers normally don't send traffic out, they only
answer. Likewise for email servers, they should only send and receive
packets with SMTP and DNS. A connection from a high port to a telnet
port on the outside would definitely reek of a trojan.

So, turn off all the noise stuff and tune your IDS. Add your own rules
to further lock down on normal traffic. Have Snort alert on signatures
AND your own custom rules that catch abnormal traffic

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part