[Snort-users] What's the fuss about string matching ?
pawel at ...5803...
Mon May 27 12:47:14 EDT 2002
I saw some posts recently, about making the next release of snort more
effective, by making improvements to the string matching engine.
I would like to hear some real stories where string matching helped
detect intrusion. I am not talking about people running honeypots.
I would like to hear from people with real networks like ASPs.
I have troubles seeing any use of string matching in IDS because of two
1. Lots of traffic is encrypted these days.
2. What's the point in watching for a known vulnerability, if you know
your system is not vulnerable ? Do you want to be woken up at 3 a.m.
because someone sent you a malformed packet ? Given the fact that all
alerts in snort are based on known vulnerabiliies, you should patch your
systems or take them off-line.
Generally string matching is waste of CPU cycles, better used somewhere
else. How about detecting (D)DOS ?
It would be more effective for an IDS to alert when a succesful intrusion
was detected, but in many environments this can easily be done
with a sniffer like tcpdump.
More information about the Snort-users