[Snort-sigs] INETD backdoor signature (sh -i)

Bill McCarty bmccarty at ...483...
Sun Jun 30 14:25:03 EDT 2002


Hi Matt,

I see your point concerning the overhead exacted by a rule such as the 
INETD   backdoor rule. But, I don't see how Snort's flow facility would 
mitigate the overhead that much. Granted, the flow facility could eliminate 
traffic flowing to a server as part of an established connection. So, only 
traffic flowing from the server would be inspected. But, I think that many 
networks sustain more traffic flowing from external servers than to them. 
In that case, the savings wouldn't be all that great.

Probably, I'm ignorant of some important aspect of the flows facility, or 
have misconstrued your point. But, I'd be grateful for clarification.

Cheers,

--On Friday, June 28, 2002 3:06 PM -0400 Matt Kettler 
<mkettler at ...189...> wrote:

> Doing an arbitrary depth match on any tcp packet with ack bit set sent to
> your HOME_NET might be reasonable on some small networks, but for those
> monitoring reasonable bandwidth networks this is going to be a very
> expensive rule to run.
>
> Once flows are in this might be a much more reasonable rule, as you can
> set up the flow so it doesn't monitor every file you download from any
> external website, ftp server, mailserver, etc.

---------------------------------------------------
Bill McCarty




More information about the Snort-sigs mailing list