[Snort-users] protocols decoded

Matt Kettler mkettler at ...4108...
Mon Aug 9 15:49:06 EDT 2004


At 06:10 PM 8/9/2004, jvarlet at ...12243... wrote:
>I would like to know how many protocols snort can decode. Some IDS (like ISS,
>MacAfee,...) can decode more than 100 protocols. I saw that snort decode 3
>(tcp, udp, icmp); but how many protocols from network to application ?

Full decode is AFAIK limited to just those three.

However, there are plugins that do analysis and normalization of several 
other protocols (HTTP, Telnet, etc).

As for the number of decoders being so small, I for one don't really see 
this as a substantial problem.

Snort has TCP decode, and PCRE support. At that point do you really need 
SMTP decoding? It might make rule creation easier, but it doesn't add a 
whole lot of functionality for most protocols. (and snort has http_decode 
to normalize and preprocess http sessions, which definitely ARE complicated 
and worthy of decode).

That said, snort's lack of decoders seems to be at least part of it's 
weaknesses, lack of good rules based on vulnerabilities, not signatures of 
a single exploit script. Snort has many good generalized rules, but it also 
has many that were quickly written from packet dumps and aren't going to 
detect exploits unless made from a particular script. This is an area of 
constant improvement in snort, but it's hardly complete.

(This said, I've not examined the signature databases of many commercial 
products. They could be even worse)


Other counter-points to consider are:

         1) how flexible is the tool in creating rules for protocols with 
no decoder? Can you use regex syntax? multi-part content checks? decode of 
bytes in the data into numeric format and do > or < type comparisons? Just 
because one tool has more decoders than another doesn't make it a better tool.

         2) what's the cost? Snort's a free download. Snort may be the 
ultimate IDS, but it's damn good, and in price/performance it's hard to match.

And of course, take all of these in context of what your needs are. No IDS 
can be the perfect tool for every network. Look at the tools closely to try 
to find one that fits your needs. Snort's probably the best tool for the "I 
analyze attacks and write my own signatures" type user, but it's not well 
suited to the "I want to set it and forget it" type (no IDS is good for 
this, but some are much closer to this than the snort download is).











More information about the Snort-users mailing list