[Snort-users] Speedera Alerts
erek at ...577...
Tue Mar 26 09:17:04 EST 2002
On Tue, 26 Mar 2002, Luo, Feng (Exchange) wrote:
> Erek, could you explain what the dangers about these Speedera Alerts are, I
> got a lot too.
It's not so much the "danger" of the alert itself. Rather, what else
it _could_ be is more of the danger. Consider the following:
* Your users are on the internet.
* Your users visit a site using Speedera.
* You see the resulting 'pings' back.
Now, if this goes on for a while, you'll consider it 'normal' and not
unusual for your networks traffic. Heck, you might even put up ignore
rules and/or remove that rule from the list. Now by doing so, you've given
the 3l33t h4x0r a alert type that can be mimiced and would be ignored. Now
they could use the Speedera Ping type as a ICMP tunnel.
You'll need to inspect the packet dumps and make sure that it is a
'Speedera Ping' and not something else, IF you are concerned about it. Since
the ICMP rules are prone to lots of false postives and large numbers of alerts
on legitimate traffic, they are turned off by default.
I would _strongly_ suggest:
Network Intrusion Detection: An Analyst's Handbook
Intrusion Signatures and Analysis
Those two books will help understand some of the how/why's and what's
of the IDS world.
More information about the Snort-users