[Snort-users] protocols decoded
mkettler at ...4108...
Mon Aug 9 15:49:06 EDT 2004
At 06:10 PM 8/9/2004, jvarlet at ...12243... wrote:
>I would like to know how many protocols snort can decode. Some IDS (like ISS,
>MacAfee,...) can decode more than 100 protocols. I saw that snort decode 3
>(tcp, udp, icmp); but how many protocols from network to application ?
Full decode is AFAIK limited to just those three.
However, there are plugins that do analysis and normalization of several
other protocols (HTTP, Telnet, etc).
As for the number of decoders being so small, I for one don't really see
this as a substantial problem.
Snort has TCP decode, and PCRE support. At that point do you really need
SMTP decoding? It might make rule creation easier, but it doesn't add a
whole lot of functionality for most protocols. (and snort has http_decode
to normalize and preprocess http sessions, which definitely ARE complicated
and worthy of decode).
That said, snort's lack of decoders seems to be at least part of it's
weaknesses, lack of good rules based on vulnerabilities, not signatures of
a single exploit script. Snort has many good generalized rules, but it also
has many that were quickly written from packet dumps and aren't going to
detect exploits unless made from a particular script. This is an area of
constant improvement in snort, but it's hardly complete.
(This said, I've not examined the signature databases of many commercial
products. They could be even worse)
Other counter-points to consider are:
1) how flexible is the tool in creating rules for protocols with
no decoder? Can you use regex syntax? multi-part content checks? decode of
bytes in the data into numeric format and do > or < type comparisons? Just
because one tool has more decoders than another doesn't make it a better tool.
2) what's the cost? Snort's a free download. Snort may be the
ultimate IDS, but it's damn good, and in price/performance it's hard to match.
And of course, take all of these in context of what your needs are. No IDS
can be the perfect tool for every network. Look at the tools closely to try
to find one that fits your needs. Snort's probably the best tool for the "I
analyze attacks and write my own signatures" type user, but it's not well
suited to the "I want to set it and forget it" type (no IDS is good for
this, but some are much closer to this than the snort download is).
More information about the Snort-users