[Snort-devel] Re: [Snort-users] Has anybody checked this out?

Martin Roesch roesch at ...48...
Tue Feb 27 00:13:03 EST 2001


Right, but strictly speaking it's not an "intrusion", although it may be
"suspicious" or "interesting".  Personally, if I was running an IDS
looking for security related events, I'd probably be mildly interested
in knowing that malformed packets were appearing, but I'd rather see it
listed in a statistical summary than be alerted on.  DoS attacks using
malformed packets don't really seem to be the norm these days (it's been
a while since the ping-o-death), floods seem to be most of the DoS
attacks that I see and hear about lately.

I'm not quite sure what you mean when you discuss "hiding attacks" from
Snort by flooding with malformed packets.  Snort stops analyzing a
packet as soon as it hits on a rule match, there's no performance
penalty once an alert has been triggered, and there's no hiding traffic
(unless the sensor gets flooded and can't keep up with the traffic).

   -Marty

Burak DAYIOGLU wrote:
> 
> Martin Roesch wrote:
> > > I don't think all kinds of maliformed/corrupted dataframes on the wire deserve
> > > to be triggered as attacks, one of the common problems with IDS configuration
> > > which I see around, is that guys try to trigger and alert everything (including
> > > 'HTTP cookies, SMTP mail from: headers' etc), which at the end creates the
> > > situation that you get hundreds of alerts every day which you don't even look
> > > through.
> >
> > I think that the real issue here is that 100000 alerts for bad packets
> > are really one large event (malformed packet) and having the IDS
> > identify every different way in which a packet is malformed isn't
> > especially useful.  Even if you aggregate those alerts into a single
> > meta-event, you've still got inherently useless data unless you are
> > reporting a known DoS event, not just a "this might be a Dos".
> 
> Hello,
> Identifying every different way in which a (single) packet is
> malformed/malicious has some uses. If this is not the case, an attacker
> can construct an attack which is going to both trigger a "log" action
> and an "alert" action at the same time, however only the one written
> first in the rule set will be matched first. So, this "behaviour" can
> be used by attackers to hide more serious attacks.
> 
> I hope I am not making a mistake with the current rule matching
> behaviour. Just want to add my 0.02 euros to the discussion.
> 
> with best regards,
> -bd
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list