[Snort-users] "trons" Rules

Fyodor fygrave at ...121...
Sat Mar 2 03:42:08 EST 2002

> >so, lets discuss BlackICE protocol-analysis versus snort protocol-analysis
> >here on this list. I think this would be a proper discussion, comparing
> >things that are compareable ;-)
> I still dont know the difference in detail! In the 0103cansec.ppt doc Mr.
> Graham writes:
> "What is protocol-analysis?
> It is not a database of signatures!
> Yes, about half the intrusions detected are based on a pattern, but it is an
> exact match."

My understanding (not what mr. Graham probably thinks, but could be
similar): protocol analysis is when you take apart a protocol, analyse
each field within the communication, track the state of the protocol
communication with 'watched' hosts, and yell an alert if something that
you notice, looks fishy. i.g. erroneously long fields in protocol
'values' (long usernames in FTP, community strings in snmp), binary data
where ascii-only is expected, ascii data, where numeric only data is
expected, unusual occurences/sequences of commands within the protocol
(i.g. smtp is usually helo --> mail from--> rcpt to-->data-->quit, if
someone has sequential helo, mail from, vrfy, quit chances that he is
pockinga round with smth). etc.. protocol analysis (imho) is a module
which takes alot of work (and cpu(!)) and is somewhere in between the
signature matching and anomaly detection methods..

> is, that snort does not decode all the "higher OSI layer protocols" that
> BlackICE decodes.

Wouldn't know whether BlackICE actually does what it claims, but true,
currently snort mostly 'normalizes' some application-level protocols
data, before the signatures could be matched, without keep a track on
the protocol state, or anything that bad guys could mock around.

Snort2.x will be able to do more here, but as of the moment it is still coming(tm)! :-)

> As far as I know, the only application snort currently decodes is FTP.
> Is this correct? 

Don't think so.. rpc preproc, http preproc/unicode, telnet preproc:
these could be the prototypes of protocol analyzers.

just my $0.02
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1

More information about the Snort-users mailing list