[Snort-users] What's the fuss about string matching ?

Pawel Rogocz pawel at ...5803...
Mon May 27 12:47:14 EDT 2002


Hi,

I saw some posts recently, about making the next release of snort more
effective, by making improvements to the string matching engine.

I would like to hear some real stories where string matching helped 
detect intrusion. I am not talking about people running honeypots.
I would like to hear from people with real networks like ASPs.

I have troubles seeing any use of string matching in IDS because of two 
factors:

1. Lots of traffic is encrypted these days.
2. What's the point in watching for a known vulnerability, if you know
your system is not vulnerable ? Do you want to be woken up at 3 a.m.
because someone sent you a malformed packet ? Given the fact that all 
alerts in snort are based on known vulnerabiliies, you should patch your
systems or take them off-line.

Generally string matching is waste of CPU cycles, better used somewhere
else. How about detecting (D)DOS ?
It would be more effective for an IDS to alert when a succesful intrusion 
was detected, but in many environments this can easily be done 
with a sniffer like tcpdump.

thanks,

Pawel





More information about the Snort-users mailing list