[Snort-devel] IDS fingerprinting techniques & Snort's FlexResponse...
dayioglu at ...287...
Fri Aug 24 02:04:31 EDT 2001
"Smith, Donald" wrote:
> It is a false alert in that it will not work against my apache server but I
> want to know when someone is trying an attack against any network element.
> Now if you recommended a filtering process (as part of the database plugin
> or something) that knew 10.1.1.1 was an apache server and cr126.96.36.199.alpha
> wasn't going to work that would be full acceptable.
I have implemented a plugin to exactly do this. Although with the current
implementation such "unrelated" alerts are being suppressed, it is not
difficult to de-prioritize the alert if the target is immune to a particular
The execution time overhead of the plug-ins were measured to be 6% (including
startup time cost) over a packet trace with 10,000,000 packets.
The environmental information that Abe refers (i.e. the os of hosts) is
collected and may be used to eliminate some of the ambiguities for current
network ID systems.
Marty's new kid (BTW, mine is on the way as well) and new company (nope,
I am not into making my own business) caused a long time delay.
Still, I hope the plug-ins will be improved and included in the mainstream
Snort distribution before 2020. (Oops, typo... :)
Phone: +90 312 2103379 Fax: +90 312 2103333
More information about the Snort-devel