[Snort-users] reputation

Martin Roesch roesch at ...421...
Mon Nov 20 22:48:44 EST 2000

Well, I don't depend on Snort as my only detection technology (gasp!), why
would anyone else?  Sure, telling the hackers what you're running can give
them some valuable intel, but only if they're attacking something that's using
the standard config, rules, etc, and only if they happen to hit the segment
that the sensor is on, etc.  There are so many variables involved that the
knowledge that an organization is using a specific security technology is not
much of an edge anymore.

Anyway, if I was an attacker I'd always assume that the target was running
Snort and ipfilter/ipchains at least! :)  (I'd also be suspicious that any
vulnerable machine I saw could be a honeypot, but maybe I'm just paranoid
after working on all of those technologies over the last five years).


Brian wrote:
> According to Dr SuSE:
> > I think it would be cool if we created a list of companies and
> > institutions that use Snort, it might help some of us in the future as far
> > as obtaining approval for Snort related projects.
> > I'll start the list with:
> > drsuse.org
> Thats not such a hot idea.  Security in depth.  Don't advertise what
> software you are using.  Its great that everyone uses snort.  GIAC gets
> more snort logs than anything else.
> Why on earth would you publicly announce what you are using to
> protect your network?  There are some things that the snort engine
> does not have plug-ins for.  With the knowledge of what IDS software
> people use, the attacker knows what he needs to do in order to not
> get caught.
> --
> Brian Caswell
> The MITRE Corporation
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

Martin Roesch
roesch at ...421...

More information about the Snort-users mailing list