[Snort-devel] http_gunzip preprocessor

Eric Lauzon eric.lauzon at ...1967...
Thu Jan 5 12:19:04 EST 2006


> -----Original Message-----
> From: Michael Loftis [mailto:mloftis at ...2776...] 
> Sent: 5 janvier 2006 14:45
> To: Eric Lauzon
> Cc: snort-devel at lists.sourceforge.net
> Subject: RE: [Snort-devel] http_gunzip preprocessor
> 

> 
> Then snort may as wssell stop development right here, so with 
> every project.  There are always those that don't read, and 
> complain.  That's what the users list is for ;)

Thats not what i mean , i wanted to expose that people tend to think
snort will help them when it can put them in a state where they 
actualy think they know but they dont. 

And by this i mean you have to be carefull on how your setted up , 
else you will obviously get a nice mess. 
(assuming its monitoring more than one networked computer)


> 
> Not useless.  It at the least can detect the (possible) 
> presence of (remote 
> or local) HTTP requests with known malicious content.  Hell 


Evaluate , that will probably be the only think it would be able to do.

How many false-positive are you ready to look after to get some real
alerts?

How can you define Malicious when you have no "learning"{AI}?
How can you emulate the behavior of different web-client toward
malicious peice of html?


> I'd love to be 
> able to do that on our network.  If I could see when a 
> payload retrieval 
> attempt is started, I could tell the infected machine on my 
> end, and where 
> the infection came from.  Fact is a lot of the time it's 
> compressed.  At my 
> day employer we compress all outgoing data in order to save bandwidth 
> because geographically where we are bandwidth is far more 
> expensive than 
> CPU, so our main hosting cluster compresses everything.  
> Being able to 
> increase detection rate (buzzword alert) by doing more 
> defense-in-depth 
> techniques is good.  Maybe the request is uncompressed and I 
> catch that, 
> maybe the response, and I catch that, maybe one of them, or both, is 
> compressed, then, right now, neither is caught.

By payload retreival i assume you mean trigger an alert when the
matching signature is found.
[might be wrong on this but thats how i get it]

Well if your peer data is compressed what stop you from using span port 
like technique to snoop at uncompressed data?

But thats an other debate on how to deploy your monitoring
infrastructure rathen than
compressed data inspection sent inside an applicative layer protocol in
this case HTTP.

-elz





More information about the Snort-devel mailing list