[Snort-devel] Re: [Snort-users] Has anybody checked this out?

Burak DAYIOGLU dayioglu at ...287...
Mon Feb 26 03:26:42 EST 2001

Martin Roesch wrote:
> > I don't think all kinds of maliformed/corrupted dataframes on the wire deserve
> > to be triggered as attacks, one of the common problems with IDS configuration
> > which I see around, is that guys try to trigger and alert everything (including
> > 'HTTP cookies, SMTP mail from: headers' etc), which at the end creates the
> > situation that you get hundreds of alerts every day which you don't even look
> > through.
> I think that the real issue here is that 100000 alerts for bad packets
> are really one large event (malformed packet) and having the IDS
> identify every different way in which a packet is malformed isn't
> especially useful.  Even if you aggregate those alerts into a single
> meta-event, you've still got inherently useless data unless you are
> reporting a known DoS event, not just a "this might be a Dos".

Identifying every different way in which a (single) packet is
malformed/malicious has some uses. If this is not the case, an attacker
can construct an attack which is going to both trigger a "log" action
and an "alert" action at the same time, however only the one written
first in the rule set will be matched first. So, this "behaviour" can
be used by attackers to hide more serious attacks.

I hope I am not making a mistake with the current rule matching
behaviour. Just want to add my 0.02 euros to the discussion.

with best regards,

More information about the Snort-devel mailing list