[Snort-users] Auto rules update

Martin Roesch roesch at ...421...
Wed Jan 24 01:05:19 EST 2001


Max Vision wrote:
> 
[mucho snippage]
>
> Another challenge is that there isn't any parsing of the protocol at all -
> it would be great if we could inspect some of these more popular protocols
> (smtp, http, pop, imap, etc) and write rules based on certain states or
> commands (certain other commercial IDS tout this as a big win and they are
> right).

To quote an old AT&T commercial, you will. :)

The "other" IDS vendors out there tout their superior application
protocol analysis methodologies, but they fail to mention how well they
take every variation of an application protocol into account.  For
example, does everyone talk HTTP exactly the same (clients and servers)
and what is legal on some but illegal on others?  This is the same set
of problems you run into doing stream reassembly and IP defrag extended
out to the application layer.  The extent may be more or less severe
depending on the homogeneity of a particular network and the conformance
of a specific NIDS to that network's implementation of different
application protocols, but I'm willing to bet that it's less than 100%
accurate (not that you said it was, but some people out there will claim
that if you're not doing full 7 layer inspection it's impossible to do
"proper" ID).

Anyway, we're going to work on giving people the capability to add in
decoder plugins at all layers of IP, including application layer
decoders, in Snort 2.0.

   -Marty

--
Martin Roesch
roesch at ...421...
http://www.snort.org




More information about the Snort-users mailing list