[Snort-devel] Re: [Snort-users] Has anybody checked this out?

Fyodor fygrave at ...1...
Sun Feb 25 09:46:06 EST 2001


On Wed, Jan 31, 2001 at 03:03:28AM +0000, Dr SuSE wrote:
> Hmm, perhaps he forgot to include a rule set in his snort.conf file. 
> I find it very hard to believe that out of 100,000 attacks Snort detected zero.
> Could it be that the 100,000 attacks were the same and there simply was not 
> Snort signature for this particular attack or maybe there was but it somehow 
> got removed or commented out.....
> 
> 


Anyway, I looked through prelude code and there are definetely some things
which look interesting and which we may probably borrow in snort 2.x (some
of them were discussed on the list for quite some time already (report queue
is our spooling mechanism, stateful protocol expection features etc etc)).

 The only thing which I don't understand why Yoann talks in such aggressive 
manner.  Yoann seems to be a guy with attitude. Althrough there are definetely
some weaknesses and design problems in current snort implementation, (that is
why we are going for snort 2.x :)) I don't think that claim 'while snort detected
0 attacks prelude detected 100,000' has any base. It depends on how you configure
both tools though, you could run snort -dv and definetely will not see any alerts :) The
guy seems to have odd understanding of what 'attack' is too..

" Generating bad packet is often used as a kind of DOS attack to make the
remote operating system IP stack crash. I believe that an IDS have to report
such attack.".

I don't think all kinds of maliformed/corrupted dataframes on the wire deserve
to be triggered as attacks, one of the common problems with IDS configuration
which I see around, is that guys try to trigger and alert everything (including
'HTTP cookies, SMTP mail from: headers' etc), which at the end creates the
situation that you get hundreds of alerts every day which you don't even look
through.  


just my $.02
 





More information about the Snort-devel mailing list