Snort mailing list archives
Re: What's the fuss about string matching ?
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 28 May 2002 13:48:50 -0500
On Mon, 2002-05-27 at 14:46, Pawel Rogocz wrote:
2. What's the point in watching for a known vulnerability, if you know your system is not vulnerable ? Do you want to be woken up at 3 a.m. because someone sent you a malformed packet ? Given the fact that all alerts in snort are based on known vulnerabiliies, you should patch your systems or take them off-line. [...] It would be more effective for an IDS to alert when a succesful intrusion was detected, but in many environments this can easily be done with a sniffer like tcpdump.
Sure. But tcpdump alone doesn't cut it. Once you add your scripts to it to make it alert/email/whatever, and add some additional functionality, you end up with.... Snort! I have the feeling you rely too much on the delivered signatures. Don't do that. Write and add your own signatures. You don't have to get an expensive anomaly detection system, when you can define what normal is, and write your Snort rules to cover the abnormal stuff. For example, you should create a rule that alerts you for any connection attempt originating from your web server (except for cc card processing or other known stuff). Web servers normally don't send traffic out, they only answer. Likewise for email servers, they should only send and receive packets with SMTP and DNS. A connection from a high port to a telnet port on the outside would definitely reek of a trojan. So, turn off all the noise stuff and tune your IDS. Add your own rules to further lock down on normal traffic. Have Snort alert on signatures AND your own custom rules that catch abnormal traffic Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- What's the fuss about string matching ? Pawel Rogocz (May 27)
- Re: What's the fuss about string matching ? Jason Haar (May 27)
- Re: What's the fuss about string matching ? Andreas Östling (May 27)
- Re: What's the fuss about string matching ? Frank Knobbe (May 28)