[Snort-devel] Re: [Snort-users] Has anybody checked this out?

Fyodor fygrave at ...1...
Mon Feb 26 02:12:01 EST 2001

On Sun, Feb 25, 2001 at 02:17:56PM -0500, Martin Roesch wrote:
> Fyodor wrote:
> > 
> > On Wed, Jan 31, 2001 at 03:03:28AM +0000, Dr SuSE wrote:
> > > Hmm, perhaps he forgot to include a rule set in his snort.conf file.
> > > I find it very hard to believe that out of 100,000 attacks Snort detected zero.
> > > Could it be that the 100,000 attacks were the same and there simply was not
> > > Snort signature for this particular attack or maybe there was but it somehow
> > > got removed or commented out.....
> > >
> > >
> > 
> > Anyway, I looked through prelude code and there are definetely some things
> > which look interesting and which we may probably borrow in snort 2.x (some
> > of them were discussed on the list for quite some time already (report queue
> > is our spooling mechanism, stateful protocol expection features etc etc)).
> I'll have a look at it, but I've definitely got some ideas already about
> what I want a lot of the features in Snort 2.0 to look like.

Another thought for snort2.x, what about having it threaded/MPI'ed? So people who manage to build unix clusters
could take advantage of that while running snort? I am currently testing some code with MPI (bruth thing)
and it works quite nifty. 

> I think that the real issue here is that 100000 alerts for bad packets
> are really one large event (malformed packet) and having the IDS
> identify every different way in which a packet is malformed isn't
> especially useful.  Even if you aggregate those alerts into a single
> meta-event, you've still got inherently useless data unless you are
> reporting a known DoS event, not just a "this might be a Dos".

".. or a broken router, or bad cabling, or ..."

> hyperbole and has nothing to do with Snort's real detection
> capabilities.  I find it strange that this would even be an issue if he
> truly inderstood the nature of Snort and find it to be pretty
> intellectually dishonest coming from a coder.  It smacks of marketing to
> my mind, and in the open source world there's not a whole lot of room
> for that kind of BS (maybe I'm just being naive)... :)


> I'd like to test out the code and see if there's some really original
> stuff here, but unfortunately it doesn't compile cleanly on FreeBSD or
> OpenBSD so I haven't had a chance to check it out yet.

Want a patch? ;-)

PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1

More information about the Snort-devel mailing list