[Snort-users] frag3_engine policy in heterogeneous env.

Bachelor, Stephen A CTR USSOCOM HQ Stephen.Bachelor.ctr at ...14240...
Wed Jun 25 08:52:33 EDT 2008


Chris,

I don't know snort well enough to say which gets you the fewest false
positives or false negatives for evasion with an even blend of operating
systems.  But what I did, when faced with a similar situation, was to
run p0f on the port that snort would run on, then perl-ify the logfile
into a big list mapping internal IPs to operating systems, and
referenced that file from my snort.conf.  The script I used was pretty
ugly, but I could probably dig it up if it'd help.

-Steve

-----Original Message-----
From: snort-users-bounces at lists.sourceforge.net
[mailto:snort-users-bounces at lists.sourceforge.net] On Behalf Of chris
ryan
Sent: Wednesday, June 25, 2008 8:33 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] frag3_engine policy in heterogeneous env.

Hi,

as far as i understand, the policies "emulate" the target host OS
defragmentation to avoid an evasion of the ids.

For now, we have a very heterogeneous environment and cannot map the
subnets to specific operating systems. In effect, the "bind-to" combined
with "policy xyz" is not applicable.

So, my guess is, i've to use one frag3_engine policy for all the traffic
(with possible evasion side effect to ids). The default engine is "BSD".

Is "BSD" a good choice for such a heterogeneous environment?


Thanks in advance, Chris.

------------------------------------------------------------------------
-
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for just about anything Open
Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list