[Snort-users] Can snort be smarter?

Jason Haar Jason.Haar at ...294...
Mon Jul 1 14:46:14 EDT 2002


There's a thread over in Security-Focus-IDS ("Crying wolf:") where people
are bemoaning the amount of false-positives that IDSes generate. 

One thing missing from Snort would be the ability for it to recognise the
difference between (say) a CodeRed attempt against an IIS and an Apache
server.

With stateful packet reassembly, would it be possible to match on the return
packets in the same rule? e.g.

content: "/script.exe?"; content: "Server: Microsoft-IIS"

That way you'd only get an alert on application-specific attacks when
they're against that particular application.

I realise that some would still want to know about ALL attacks - but that
could be dealt with by  the above rule being an "alert", followed by the
same rule without the "Server: Microsoft-IIS" bit being a "log".

Apparently this is a feature NFR has.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-users mailing list