[Snort-users] announcement & questions: user space firewall

Dan Hollis goemon at ...20...
Thu Nov 30 01:42:03 EST 2000


On Thu, 30 Nov 2000, Martin Roesch wrote:
> This is correlation and we're planning on implementing something to do this
> down the road.  Version 1.7 won't have it, but the version after that is what
> I'm aiming for to include correlation rules.  It'll look something like this
> (this is very primitive, I did up another version a while back and it had more
> useful stuff in it, but it's late and I'm sick so you get the nickle tour ;)

Perhaps it would also be good to keep a limited context buffer, a sliding
window of several history packets per session (with a configurable
resource limit, of course, so that DoS attacks on the IDS are not possible).
Then rules could do a simple match, and then a more complex match if
required. For ftp/pop3/etc rules, this would presumably allow one to dump
the username along with the attempted password when a login fails.

> # imap buffer overflow followed by xterm back to attacker
> correlate msg: "event foo!"
> {
>     event 1 tcp !$HOME_NET any -> $HOME_NET 143 (content: "AUTHENTICATE"; dsize: >512;)
>     event 2 tcp $HOME_NET 143 -> !$HOME_NET any (content: "root";)
>     event 3 tcp $HOME_NET 6000 -> !$HOME_NET any (content: "| de ad be ef|";)
> }

This is exactly what I was thinking ;)

-Dan




More information about the Snort-users mailing list