[Snort-devel] IDS fingerprinting techniques & Snort's FlexResponse...

Burak DAYIOGLU dayioglu at ...287...
Fri Aug 24 02:04:31 EDT 2001


"Smith, Donald" wrote: 
> It is a false alert in that it will not work against my apache server but I
> want to know when someone is trying an attack against any network element.
> Now if you recommended a filtering process (as part of the database plugin
> or something) that knew 10.1.1.1 was an apache server and cr2.0.1.7.alpha
> wasn't going to work that would be full acceptable. 

<line noise>

I have implemented a plugin to exactly do this. Although with the current
implementation such "unrelated" alerts are being suppressed, it is not
difficult to de-prioritize the alert if the target is immune to a particular
attack.

The execution time overhead of the plug-ins were measured to be 6% (including
startup time cost) over a packet trace with 10,000,000 packets.

The environmental information that Abe refers (i.e. the os of hosts) is
collected and may be used to eliminate some of the ambiguities for current
network ID systems.

Marty's new kid (BTW, mine is on the way as well) and new company (nope,
I am not into making my own business) caused a long time delay.

Still, I hope the plug-ins will be improved and included in the mainstream
Snort distribution before 2020. (Oops, typo... :)

</line noise>

thank you.
-- 
Burak DAYIOGLU
Phone: +90 312 2103379   Fax: +90 312 2103333
       http://www.dayioglu.net




More information about the Snort-devel mailing list