[Snort-devel] Defeating the anti-IDS tools...

agetchel at ...358... agetchel at ...358...
Thu Apr 5 00:50:11 EDT 2001

> Only if the attacker was able to find valid attacks against 
> your network.  With
> the data mining method these invalid attacks would just show 
> up as "Invalid
> Attacks, naughty boy detected" This would be one alert and not 100's.

	As would the alert in the alternate log file which this
postprocessor would create; it would log one entry for every X number of
attacks in X number of seconds from X number of IP addresses and give a
time-frame so the engineers could further investigate.  I guess, from my
point of view, I'm just not hearing any good reasons _not_ to include a
postprocessor such as this into Snort.  It would provide engineers a quick
and effective way of identifying attacks generated by diversion tools,
without any additional hardware of software in place, and it wouldn't effect
the way alerts are generated or logged, currently, in any way.  Are there
any real _disadvantages_ to this approach?  Besides keeping engineers from
what they _should_ be doing? =)  It just doesn't make any sense to not
include this feature because of what engineers _should_ be doing.  It would
be like a car manufacture not installing anti-lock brakes in any of their
cars.  Everyone _should_ be able to drive without them, but most definitely
benefit from the additional safety measures.
	As a side note... it would figure that the first time I go and see
the Red Wings play in person in thirteen years, they would lose to an
expansion team like the Bluejackets.  Bah.  Anywho, if there are any hockey
fans here, it's true what they say about Nationwide, it's an incredible
arena. =)


Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel at ...358...
Web     http://www.kde.state.ky.us/

More information about the Snort-devel mailing list