[Snort-devel] a doozie of a metaphysical question
cmg at ...81...
Wed Jun 13 17:09:42 EDT 2001
<tlewis at ...255...> writes:
> On Wed, 13 Jun 2001, Erik Fichtner wrote:
>> On Wed, Jun 13, 2001 at 10:12:36AM -0400, tlewis at ...255... wrote:
>> > In fact, now that I think about it, you can't rely on DNS opcode or rcode
>> > ranges to identify DNS packets, since having illegal values for these is
>> > a very good attack.
>> Pshaw. It's very hard to tell what something IS, but it's not very
>> hard at all to tell what something ISN'T.
>> "This ISN'T a sensible DNS packet... Perhaps it should be looked at further..."
> And what about the non-sensical DNS packets that are actually destined for
> DNS servers, where they will trigger very-sensible buffer overflows? We're
> not writing tcpdump here; we're writing an IDS.
Unfortunately, network troubleshooting and security overlap in too
many places. After talking to a person puzzled about a very odd
``fragmentation attack'' and lots of looking, I asked them to get
someone to look at the router interface stats the sensor was
monitoring and sure enough, error city.
Category 0 - Normal - don't bother with it
Category 1 - I don't understand it
This sure isn't DNS but it's suspicious. Either the decoder is wrong
or the packet is wrong. Look at it some more - Might be caputuring a
unknown attack or making bad assumptions about the traffic in the
Category 2 - Known attack
This is FOO attack style signature - 95% likely a real attack
Tons of protocol decoders that can emulate specific implementation
behaviors seems to be a sensible approach if cpu usage is no object.
One behavior that would be nice to know is 'is this a real ftp
transfer connection or a rogue connection to a port'. Same general
category of the analysis quagmire without keeping tons of state
Chris Green <cmg at ...81...>
This is my signature. There are many like it but this one is mine.
More information about the Snort-devel