[Snort-devel] Re: [Snort-users] Has anybody checked this out?

Martin Roesch roesch at ...48...
Tue Feb 27 00:13:03 EST 2001

Right, but strictly speaking it's not an "intrusion", although it may be
"suspicious" or "interesting".  Personally, if I was running an IDS
looking for security related events, I'd probably be mildly interested
in knowing that malformed packets were appearing, but I'd rather see it
listed in a statistical summary than be alerted on.  DoS attacks using
malformed packets don't really seem to be the norm these days (it's been
a while since the ping-o-death), floods seem to be most of the DoS
attacks that I see and hear about lately.

I'm not quite sure what you mean when you discuss "hiding attacks" from
Snort by flooding with malformed packets.  Snort stops analyzing a
packet as soon as it hits on a rule match, there's no performance
penalty once an alert has been triggered, and there's no hiding traffic
(unless the sensor gets flooded and can't keep up with the traffic).


Burak DAYIOGLU wrote:
> Martin Roesch wrote:
> > > I don't think all kinds of maliformed/corrupted dataframes on the wire deserve
> > > to be triggered as attacks, one of the common problems with IDS configuration
> > > which I see around, is that guys try to trigger and alert everything (including
> > > 'HTTP cookies, SMTP mail from: headers' etc), which at the end creates the
> > > situation that you get hundreds of alerts every day which you don't even look
> > > through.
> >
> > I think that the real issue here is that 100000 alerts for bad packets
> > are really one large event (malformed packet) and having the IDS
> > identify every different way in which a packet is malformed isn't
> > especially useful.  Even if you aggregate those alerts into a single
> > meta-event, you've still got inherently useless data unless you are
> > reporting a known DoS event, not just a "this might be a Dos".
> Hello,
> Identifying every different way in which a (single) packet is
> malformed/malicious has some uses. If this is not the case, an attacker
> can construct an attack which is going to both trigger a "log" action
> and an "alert" action at the same time, however only the one written
> first in the rule set will be matched first. So, this "behaviour" can
> be used by attackers to hide more serious attacks.
> I hope I am not making a mistake with the current rule matching
> behaviour. Just want to add my 0.02 euros to the discussion.
> with best regards,
> -bd
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

Martin Roesch
roesch at ...48...

More information about the Snort-devel mailing list