[Snort-users] Swen.A results with Snort-inline (protocol anomaly detection)

Jason Haar Jason.Haar at ...10172...
Fri Sep 26 02:07:06 EDT 2003

pieter claassen said:
> Hi Jason,
> I am intrigued by your statement that network based scanning cannot
> replace AV. I assume you are touching on the question as to which
> security functions can be handled on the perimeter and which ones can
> only be done end-to-end?

No - nothing to do with that. It's an issue of *how* an AV system works vs
a "flow based" technology like IDS. AV scanners do all sorts of tricks
with files in order to discover if they are "bad". They need to have the
entire (or a large chunk of it) file in place before they start scanning
for one thing. There are all sorts of seeks going on - and let's not even
mention the sandboxes AV systems run to partially execute a suspect
executable to see what it does next. How could an IDS do all that - on the
fly? How could an IDS stop a virus reaching it's intended target if it had
to let the entire thing pass before making a decision? Cache,
Stop-and-Forward it? Doesn't sound like a flow-based technology anymore...
Let's see a network backup run past such a box :-)
Now of course, there's nothing to stop  you having one box that acts as
your SMTP AV gateway as well as your IDS - but it ain't the IDS stopping
the viruses anymore...
The closest thing that exists to a flow-based AV system is the AV plugins
you can get for Web proxies - and they still need to download the files,
scan, then pass the file onto the end user if it's OK. As even HTML pages
can have viruses (via ActiveX/etc), the "end user experience" is S.L.O.W.
I remembering trialing a "market leader" in that arena last year. I moved
all of our IS group onto it and threatened them with pain of death if they
stops using the AV proxy and went back to the "normal" one (we needed to
trial it before inflicting it on end users). Within 4 hours they had all
sneaked off back onto the normal, non-AV proxy. It was just too slow - it
was like our Internet link had gone back three years in latency. Needless
to say, we still don't run an AV on our Web traffic. But SMTP - too right
(Qmail-Scanner - plug,plug ;-)

OTOH, we do use some of Snorts rules to look for *some* network-based
viruses - it's pretty good at a few of them. However, nothing beats a real
AV system.
Oh yeah, and let's not even start on the topic of how do you clean up
infected workstations if you were to rely on an IDS-style AV system... :-)


More information about the Snort-users mailing list