[Snort-sigs] Signatures

Nelson, James (CC-MIS Plans and Prog) James.Nelson at ...74...
Thu Mar 21 15:20:02 EST 2002


On Thursday, March 21, 2002 4:18 PM
Robert Wagner [mailto:rwagner at ...447...] wrote:

I believe this is left up to third party products like Guardian.  I have
used Guardian to monitor the syslog files and pick up on the priority level
of an attack and react accordingly (pass the priority, attacker IP address,
interface, and protocol to guardian_block.sh)  The shell program can be
setup to run whatever commands you wish based on any combination of the
above.

[James Nelson]  Be careful with that, or a false positive could stop real
traffic or spoofing could be used to mount up a DOS of sorts.

While this doesn't provide a single comprehensive solution (single source),
it allows each group of developers to be experts in their area.  In the
long-term better products and choices between them.  

[James Nelson]  Agreed.

The other great thing is that you can build rules to fit your needs.  This
project only works if people contribute their research back to the project.
If you find some responses, please send them through.

[James Nelson]  I have build my own rules.  I am finding that the items need
to be discussed with the group because every time a new signatures file
comes out I find myself hacking my modifications back into my engines again.
I have not contributed my stuff because I do not have fundamental agreement
with the group on how to do things at this point.


Lastly, an IDS like snort is only effective if suspicious activity is caught
very early in the attack (preferably during an initial recon - portscan) and
action is taken (see portsentry from psionic).  It would be kind of useless
to catch the "OK - All files have been deleted" response from a trojan.
Much better to catch the initial "wake up trojan, we are going to cause some
havoc today" command.  

[James Nelson] Agreed.  IMHO:  The case of trojans Robert is describing,
both the alert of the request and the alert of the success are useful.  The
only difference is the priority an administrator should assign to working
the alerts.


Let me know if this helps.  I am not a developer, this is just my impression
of their focus.  If you are interested in Guardian, I have modified it to
look at the priority level and pass that through to a shell script.  I can
pass the changes along.

[James Nelson] Thanks.

James Nelson




More information about the Snort-sigs mailing list