Snort mailing list archives

Re: To check for current SNORT limitations in 2.9

From: Robert Muscat via Snort-users <snort-users () lists snort org>
Date: Mon, 30 Oct 2017 17:14:30 +0000

Hi - These were listed as some disadvantages which SNORT suffers in some thesis papers, not commercially related. None 
of these listed are relevant somehow relevant?

________________________________
From: Mark Levison <mark () agilepainrelief com>
Sent: Monday, October 30, 2017 3:49:04 PM
To: Robert Muscat
Subject: Re: [Snort-users] To check for current SNORT limitations in 2.9

Robert - I thought your reply went to the list, when it only went to me personally. If you read your list it, sounds 
like something someone would write something if they were attempting to market a product that competes with Snort. 
Lacking context,I and others reacted poorly.

I wish you good luck with the undergrad thesis.

Cheers
Mark

On Sun, Oct 29, 2017 at 1:26 PM, Robert Muscat <robertmuscat () hotmail com<mailto:robertmuscat () hotmail com>> wrote:
Well, I need to find a niche area in SNORT where I can provide at least a minor enhancement for an undergraduate 
thesis, with an office environment as a scenario. Problem is I haven't yet decided on which area I shall focus ex. rule 
for a specific attack/policy, more efficient detection, use of less resources, lower false positives, granular 
detection, better administration. Unfortunately I have yet to use SNORT, but I also have to focus on an area where I 
can provide an improvement of some sort. I know it's an open ended idea, but now there's no turning back.

________________________________
From: Mark Levison <mark () agilepainrelief com<mailto:mark () agilepainrelief com>>
Sent: Sunday, October 29, 2017 5:19 PM
To: Robert Muscat
Subject: Re: [Snort-users] To check for current SNORT limitations in 2.9

Robert - This is very interesting list. Trying to understand your intentions/goal. Would you explain?

Cheers
Mark

On Sun, Oct 29, 2017 at 10:50 AM, Robert Muscat via Snort-users <snort-users () lists snort org<mailto:snort-users () 
lists snort org>> wrote:

Hi,

Can someone confirm which of the below problems are still persistent in the stable version (not 3.0)

  *   Performance drops during heavy network traffic

  *   Adding additional snort instances and modifying snort configurations can lead to mistake magnification. So 
experienced users only can use it.

  *   Snort cannot detect UDP and TCP flooding attacks; it can only detect ICMP flooding attacks.

  *   When snort is in its active detection mode it will utilize 100% CPU and will slow down the performance of the 
system to a greater extent.

  *   In snort, graphical interface is not there by default and can be achieved only by adding extra plug-ins.

  *   By default snort will not provide any anomaly detection and is purely a misuse based system. Extra plug-in is 
required.

  *   While handling the normal traffic snort will process the packets at a slow phase. During a DoS and DDoS attack 
snort throughput increases drastically, but will drop large number of packet.

  *   When the number of rules increases, memory utilization also increases and hence will take longer to initialize 
all the rules.

  *   Snort checks each and every field specified in the rule and creates RTN, OTN for all the fields in the rule. 
Therefore it will decrease the processing throughput by performing several unnecessary comparisons with all the fields 
in the rule.

  *   Snort is capable of detecting flooding attacks by default. If snort needs to be configured to detect other modes 
of attacks then the configuration file have to be changed which indeed is a tedious task.

  *   Snort is purely an intrusion detection system and is not an intrusion prevention system.

  *   Snort will start to drop the packets at a massive rate when the incoming packet rate is more.Therefore 
possibilities of detecting possible attack patterns are more since it fails to analyze those dropped packets.

If there are more known issues, I appreciate you can forward them to me.

Thanks in advance!

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org<mailto:Snort-users () lists snort org>
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

--

[headshot-square-300x300]<http://www.flickr.com/photos/36331075@N00/9674877046/>        Mark Levison | 1 (877) 248-8277 
| Twitter<https://twitter.com/mlevison> | LinkedIn<http://ca.linkedin.com/in/marklevison> | 
Facebook<https://www.facebook.com/agilepainrelief>
Certified ScrumMaster Training: Vancouver<http://agilepainrelief.com/courses/vancouver> | 
Edmonton<http://agilepainrelief.com/courses/edmonton> | Ottawa<http://agilepainrelief.com/courses/ottawa> | 
Montreal<http://agilepainrelief.com/courses/montreal> | Toronto<http://agilepainrelief.com/courses/toronto>
Certified Product Owner & Private Training also available ~ Our Training 
Schedule<http://agilepainrelief.com/courses/certified-scrum-agile-training>
Agile Pain Relief Consulting<http://agilepainrelief.com/> | Notes from a Tool 
User<http://agilepainrelief.com/notesfromatooluser>
Proud Sponsor of Agile Tour Gatineau Ottawa<http://goagiletour.ca/> and Agile Coach Camp 
Canada<http://agilecoachcampcanada.wordpress.com/>

--

[headshot-square-300x300]<http://www.flickr.com/photos/36331075@N00/9674877046/>        Mark Levison | 1 (877) 248-8277 
| Twitter<https://twitter.com/mlevison> | LinkedIn<http://ca.linkedin.com/in/marklevison> | 
Facebook<https://www.facebook.com/agilepainrelief>
Certified ScrumMaster Training: Vancouver<http://agilepainrelief.com/courses/vancouver> | 
Edmonton<http://agilepainrelief.com/courses/edmonton> | Ottawa<http://agilepainrelief.com/courses/ottawa> | 
Montreal<http://agilepainrelief.com/courses/montreal> | Toronto<http://agilepainrelief.com/courses/toronto>
Certified Product Owner & Private Training also available ~ Our Training 
Schedule<http://agilepainrelief.com/courses/certified-scrum-agile-training>
Agile Pain Relief Consulting<http://agilepainrelief.com/> | Notes from a Tool 
User<http://agilepainrelief.com/notesfromatooluser>
Proud Sponsor of Agile Tour Gatineau Ottawa<http://goagiletour.ca/> and Agile Coach Camp 
Canada<http://agilecoachcampcanada.wordpress.com/>

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Re: To check for current SNORT limitations in 2.9, (continued)
- - - Re: To check for current SNORT limitations in 2.9 Joel Esler (jesler) via Snort-users (Oct 30)
    - Re: To check for current SNORT limitations in 2.9 Marcin Dulak via Snort-users (Oct 30)
    - Re: To check for current SNORT limitations in 2.9 DFIRob via Snort-users (Oct 30)
    - Re: To check for current SNORT limitations in 2.9 Joel Esler (jesler) via Snort-users (Oct 30)
    - Re: To check for current SNORT limitations in 2.9 DFIRob via Snort-users (Oct 30)
    - Re: To check for current SNORT limitations in 2.9 Joel Esler (jesler) via Snort-users (Oct 30)
    - Re: To check for current SNORT limitations in 2.9 Robert Muscat via Snort-users (Oct 30)
    - Re: To check for current SNORT limitations in 2.9 Mike Stephanick (Oct 30)
    - Re: To check for current SNORT limitations in 2.9 Joel Esler (jesler) via Snort-users (Oct 30)
    - Re: To check for current SNORT limitations in 2.9 Robert Muscat via Snort-users (Oct 30)
    - Message not available
    - Message not available
    - Message not available
    - Message not available
    - Re: To check for current SNORT limitations in 2.9 Robert Muscat via Snort-users (Oct 30)