[Snort-users] New Snort 2.2 Rules

Andre' M. DiMino tsamp77 at ...549...
Thu Sep 15 16:34:08 EDT 2005


Thank you for clearing this up.. The new flow preprocessor is certainly much
more powerful and flexible than before. 
The newer rule set and Snort's overall performance really shines now.

Thanks again,


-----Original Message-----
From: Alex Kirk [mailto:alex.kirk at ...1935...] 
Sent: Wednesday, September 14, 2005 6:03 PM
To: Andre' M. DiMino; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] New Snort 2.2 Rules

This is partly correct. The flow preprocessor still handles keeping track of
a TCP connection's state & direction, as always. The distinction you're
seeing is that many older rules used things like flags:AP to attempt to
detect established connections -- not a particularly reliable method, given
that it's possible to set the ACK & PUSH flags on a packet that is not part
of an established TCP connection
-- while modern rules use the flow:established keyword/value pair to use the
capabilities of the flow preprocessor to do this type of checking. 
Since the preprocessor is much, much more accurate when determining
connection state, it filters out an even larger number of malicious packets
which are not part of an existing TCP connection than flags:AP or the like,
and as a result your IDS will be correspondingly more quiet.

Alex Kirk
Research Analyst
Sourcefire, Inc.

> I've noticed the same thing in my configuration where Snort is much 
> more quiet than it used to be... False positives and "noise" seem to 
> be at a minimum now. This is definitely not at the expense of solid 
> detection however. I really put Snort 2.4 through some heavy tests 
> with Nessus and other tools, and it does detect everything just fine.
> In looking at the rules, I noticed that many of the rules now use the 
> /flow:established/ option. I might be mistaken, but I don't think this 
> was always the case with the rules. I think a preprocessor used to 
> handle the flow conditions. In a rule with /flow:established/, Snort 
> will only detect the anomalies that occur during an established 
> connection. It doesn't alert on the packets that are simply aimed at 
> your network segment, but not actually traversing an existing connection.
> Do I have this right?
> ------------------------------------------------------------------------
> *From:* snort-users-admin at lists.sourceforge.net 
> [mailto:snort-users-admin at lists.sourceforge.net] *On Behalf Of *Walt Rich
> *Sent:* Wednesday, September 14, 2005 4:27 PM
> *To:* snort-users at lists.sourceforge.net
> *Subject:* [Snort-users] New Snort 2.2 Rules
> I updated the Snort rules to the latest available on Souceforge's 
> site.  They wre auite out of date, and almost a year old.  Snort is up 
> and running, but has become very queit!  It used to detect alot of 
> false positives, which were a pain, but at least I knew it was 
> working.  Now it is very, very quiet, and hasn't detected anything in 
> over 2 hours.  Is it possible that the rule writers have become so 
> good that the detection of false positives has been almost 
> eliminated?  Has anyone else experienced anything similar?  Any input 
> is greatly appreciated.
> Thanks!
> Parago Logo
> ------------------------------------------------------------------------
> | *Walt Rich* | Sr. Network Engineer | Parago, Inc. | 972.538.7253 | 
> walt.rich at ...12648... <mailto:walt.rich at ...12648...> |

More information about the Snort-users mailing list