[Snort-users] Auto rules update

Dragos Ruiu dr at ...381...
Wed Jan 24 05:34:05 EST 2001


On Tue, 23 Jan 2001, Martin Roesch wrote:
> The "other" IDS vendors out there tout their superior application
> protocol analysis methodologies, but they fail to mention how well they
> take every variation of an application protocol into account.  For
> example, does everyone talk HTTP exactly the same (clients and servers)
> and what is legal on some but illegal on others?  This is the same set
> of problems you run into doing stream reassembly and IP defrag extended
> out to the application layer.  The extent may be more or less severe
> depending on the homogeneity of a particular network and the conformance
> of a specific NIDS to that network's implementation of different
> application protocols, but I'm willing to bet that it's less than 100%
> accurate (not that you said it was, but some people out there will claim
> that if you're not doing full 7 layer inspection it's impossible to do
> "proper" ID).

And even if you do, do "full" 7 layer bsing... :-)

Unless you are using a fixed/single protocol, doing a multi-protocol decode
still involves a lot of guesswork because of non-unified code spaces and
overlaps between protocols.  For a good example of this, look at all the
contortions the Ethereal decoders have to go through to make "heuristic"
guesses at protocol types. (And making this run fast, a-la real time
is tough when you have to guess at a decode and then unwind back 
when you find out your guess was wrong - as anyone who has 
benchmarked ethereal captures has discovered.)  My suspicion/research
indicates that none of the IDSes today implement "full" protocol
decoding, just a bunch of heuristics that minimally approximate 
some parts of client protocol decoding. A "full" decode would 
have piss poor performance, and this approximation strategy 
is the only one that can possible give the performance to do IDS.
And in reality does anyone care if an obscure reserved bit of some 
octet in an encapsulated ITU Q.935 QoS Information Element is 
fully decoded in an IDS if it will never make a difference in a 
real world attack? No, and parsing and decoding it would be 
a waste of CPU time from an IDS perspective. 

I still maintain that "full 7 layer, multi-protocol analysis" is a myth and 
just a fancy name for multiple layers/states and heuristics of the same old
pattern matching logic that good old one layer/state snort uses.  Add some state
variables(layers) and conditional patterns based on states triggered by the
patterns and you wind up in the same place no matter what fancy marketing tag
and name you attach to it. The magic is still in the decodes/signatures and
patterns/state-transition-logic specifics rather than multi-layer decoding
capability in general, as implied by some.... Choosing the right heuristics
and conditional rules is the key - not having the ability to have conditional
rules, because that's a no-brainer.

ok. Enough ranting. It's late,
--dr

P.S.  I'm working on an even better, new _8_ layer decode for Snort, which goes
even further and decodes Layer 8: Politics, and by asking a few subjective
questions derived from the MMPI psych test, tries to evaluate the
operator's mood and can alarm on discontent or anger. :-) 
-- 
Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net




More information about the Snort-users mailing list