Snort mailing list archives
Re: Swen.A results with Snort-inline (protocol anomaly detection)
From: "Jason Haar" <Jason.Haar () xch trimble co nz>
Date: Fri, 26 Sep 2003 21:06:55 +1200 (NZST)
pieter claassen said:
Hi Jason, I am intrigued by your statement that network based scanning cannot replace AV. I assume you are touching on the question as to which security functions can be handled on the perimeter and which ones can only be done end-to-end?
No - nothing to do with that. It's an issue of *how* an AV system works vs a "flow based" technology like IDS. AV scanners do all sorts of tricks with files in order to discover if they are "bad". They need to have the entire (or a large chunk of it) file in place before they start scanning for one thing. There are all sorts of seeks going on - and let's not even mention the sandboxes AV systems run to partially execute a suspect executable to see what it does next. How could an IDS do all that - on the fly? How could an IDS stop a virus reaching it's intended target if it had to let the entire thing pass before making a decision? Cache, Stop-and-Forward it? Doesn't sound like a flow-based technology anymore... Let's see a network backup run past such a box :-) Now of course, there's nothing to stop you having one box that acts as your SMTP AV gateway as well as your IDS - but it ain't the IDS stopping the viruses anymore... The closest thing that exists to a flow-based AV system is the AV plugins you can get for Web proxies - and they still need to download the files, scan, then pass the file onto the end user if it's OK. As even HTML pages can have viruses (via ActiveX/etc), the "end user experience" is S.L.O.W. I remembering trialing a "market leader" in that arena last year. I moved all of our IS group onto it and threatened them with pain of death if they stops using the AV proxy and went back to the "normal" one (we needed to trial it before inflicting it on end users). Within 4 hours they had all sneaked off back onto the normal, non-AV proxy. It was just too slow - it was like our Internet link had gone back three years in latency. Needless to say, we still don't run an AV on our Web traffic. But SMTP - too right (Qmail-Scanner - plug,plug ;-) OTOH, we do use some of Snorts rules to look for *some* network-based viruses - it's pretty good at a few of them. However, nothing beats a real AV system. Oh yeah, and let's not even start on the topic of how do you clean up infected workstations if you were to rely on an IDS-style AV system... :-) Jason ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Swen.A results with Snort-inline (protocol anomaly detection) pieter claassen (Sep 25)
- Re: Swen.A results with Snort-inline (protocol anomaly detection) Jason Haar (Sep 25)
- Re: Swen.A results with Snort-inline (protocol anomaly detection) pieter claassen (Sep 26)
- Re: Swen.A results with Snort-inline (protocol anomaly detection) Jason Haar (Sep 26)
- Re: Swen.A results with Snort-inline (protocol anomaly detection) pieter claassen (Sep 26)
- Re: Swen.A results with Snort-inline (protocol anomaly detection) Jason Haar (Sep 25)