[Snort-devel] a doozie of a metaphysical question

Martin Roesch roesch at ...402...
Wed Jun 13 00:17:31 EDT 2001


tlewis at ...255... wrote:
> 
> I do not believe that there exists an answer to this question.  I believe
> that the best that we can do is to leave to the NIDS administrator a means
> of mapping certain traffic characteristics (port, address, interface)
> to protocol decomposition targets.  I would love for someone to explain
> to me why I a wrong.

You're exactly right, but hand edited tables of application->port
mappings isn't going to work, you need to automate the process.  This
would be a great job for frisker (my next GPL app) if I ever get around
to finishing/releasing it.  There's also a version of nmap floating
around out there that has an application discovery mechanism built in,
perhaps if you could make it so that the output could talk to the IDSs
conf file somehow...

     -Marty


--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list