[Snort-users] "trons" Rules

counter.spy at ...348... counter.spy at ...348...
Sat Mar 2 02:36:10 EST 2002


Sorry, but I had some errors in my previous post
(Thanx for the hint, Bob ...boy am I read...)
But that should not keep you from discussing the issue of protocol analysis,
which is still unclear to me ;-)

So here is the corrected post:

>Hey all,
>having read the information about 
>on Robert Graham's website I decided to
>trigger a little discussion on protocol analysis - an issue that has been
>my mind
>for some time now:

>Robert Graham is known as a protocol geek and he prays his protocol
>Alright, as far as I know snort does perform some kind of protocol
>In his document 0103cansec.ppt (to be found in the "slides" directory on
>he compares "snortlike" pattern match against  protocol analysis 
>- all very lucid, bene.

>Now can somebody, please explain the difference between 
>protocol analysis and BlackICE protocol analysis 
>(might be somehow difficult, as the BlackICE product, now
>being integrated into RealSecure, was, still is and will 
>forever be closed source).

>I know that BlackICE detected all the NSS Group attacks, but I also know
>that snort
>made an excellent job as well, despite the fact, that they had a rather
>outdated version. 

CORRECTION: Version 1.8.1 actually WAS THE ACTUAL version at
the time of testing.

>Any comments that are based on technical facts are greatly appreciated,
>because this informatin  could be of great help for my diploma thesis :-)

>In addition, here are some snips of the TRON page (commented by me ;-) )

>"....TRONS was reverse engineered from Snort signatures.."
>big deal, its opensource! :-)

>"...I didn't look at Snort source more from a politeness issue rather than
>anything else..."
>Oh..., wow! ;-)

>"...How does BlackICE compare to Snort? 
>I prefer protocol-analysis for IDS signatures over pattern-match, of
>which is why I chose that technology instead of pattern-match. The thing to
>remember is that it is a different techique that gives you different
>We can argue which results most people would prefer, but it would be
>to say that one technique is always better than another. In any case, this
>is the wrong paper for such a discussion. "

>so, lets discuss BlackICE protocol-analysis versus snort protocol-analysis
>here on this list. I think this would be a proper discussion, comparing
>things that are compareable ;-)

I still dont know the difference in detail! In the 0103cansec.ppt doc Mr.
Graham writes:

"What is protocol-analysis?
It is not a database of signatures!
Yes, about half the intrusions detected are based on a pattern, but it is an
exact match."

I think the difference between snort protocol analysis and BlackICE protocol
is, that snort does not decode all the "higher OSI layer protocols" that
BlackICE decodes.
As far as I know, the only application snort currently decodes is FTP.
Is this correct? 

>In order to anticipate any complaints or misunderstandings:
>This is not criticism of Robert Grahams work or Robert Graham himself.
>In the opposite, I have great respect for this man and his work and very
>appreciate that he is always sharing his knowledge with the public.
>I just would like to heat some discussion ;-)

>D. Liesen

Have a nice weekend!
GMX - Die Kommunikationsplattform im Internet.

GMX - Die Kommunikationsplattform im Internet.

More information about the Snort-users mailing list