IDS mailing list archives
Re: Belaboring the point of FPs
From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 22 Aug 2003 00:13:46 -0400
Hey Robert, Nice metaphors. :)There's one bit of context missing from your post, and that is the original purpose and environments that our respective products evolved out of. Snort is an open source extensible software framework for network traffic analysis that many people use as an intrusion detection system, RS7/BlackICE is a purpose built commercial NIDS engine. I wrote Snort for the first 2.5 years solely in my spare time and on what could generously be termed as a shoestring budget with a Pentium Pro 200 and a couple Celeron 300's as my development and testing network.
Snort's detection engine was designed in the way that it was as a proof of concept and inertia being what it is, it took a couple years to get to the design that we have today. Development is still ongoing, but suffice to say that we're working on some new stuff that'll be pretty cool when it comes out.
Snort gives you what you ask for sort of like UNIX/C give you what you ask for. BlackICE is much more of a black box, Windows to Snort's UNIX perhaps (and I'm not being snotty, I actually like win2k in my non-partisan moments). Given the backgrounds of both systems, I think the reasons for this are obvious. I was building a framework for everyone to fiddle with and you were building something that was going to have to be deployed on arbitrary win32 systems, a daunting prospect from a tech support standpoint so user fiddling with the innards were to be discouraged as much as possible.
I don't mean to take this analogy too far, but I'd like to point out thestories of genies-in-bottles who give you exactly what you ask for, but not quite what you want. We all know the story of king Midas who wishedthat everything he touched turned to gold -- but then realized the follyof his ways when he hugged his daughter, which turned her to gold.
Yeah, but if he had been smart about it he could have done better for himself!
I'm not saying that this is a BIG problem for Snort, please don't read too much into the analogy. It is indeed a good thing that Snort gives you what you ask for -- I'm just trying to point that it isn't 100% good.
This is kind of a "maturity principle" issue, do we trust people to take responsibility for their actions and behave in reasonable ways or not. We would certainly like to think so but history proves otherwise.
The basic problem is that the Snort rules language is not expressiveenough to give you what you want. It's like going to a French restaurantand ordering only those things on the menu that you can pronounce. I have friends that order bagels at the morning because they are embarrassed by their poor pronunciation of the French word "croissant". It's true that the coffee shop is not at fault for delivering what thecustomer asked for, but it doesn't mean the customer is completely happywith his bagel.
I'd like to amend the above sentence to "The basic problem is that the Snort rules language is not *always* expressive enough to give you what you want". This is true and its what leads us to evolve the language. The byte_test/byte_jump functionality is a direct result of this problem. The Snort language could use an overhaul sometime in the not too distant future, it's certainly approaching the point at which we need to seriously evaluate its functionality and readability as they relate to ongoing extension and addition to the keyword system.
I write lots of signatures for my IDS (RealSecure 7). I have written a clone of Snort (Trons). Most of the signatures that I write cannot be expressed in the Snort rules language. For example, I put an IMAP protocol-decode on port 143 that explicitly recognizes what an e-mailmessage is, and therefore won't match any patterns inside it (unless, ofcourse, those patterns are supposed to be for e-mail messages). You could certainly extend the Snort rules languages with plugins. The 'uricontent' keyword is a good example of a limitation with pattern-matching that had to be resolved. You could certainly add a plugin for IMAP that resolves the false-positive discussed below, but the issue is that nobody has. Such problems can easily be solved within the Snort architecture, it's just that when you get Snort today, such problems are not solved.
At the same time, it's exceedingly difficult to write this simple Snort rule as a BlackICE user (TRONS notwithstanding):
alert tcp $EXTERNAL_NET any -> $ANON_FTP 21 (\ flow: to_server, established; \ content: "USER"; nocase; \ content; !"anonymous"; nocase; distance: 1; \ content; !"ftp"; nocase; distance: 1; \ msg: "Non-anonymous login to anonymous FTP server"; \ classtype: policy-violation; \ tag: session 30 seconds; \ sid: 100000; rev: 1;\ )
Again, I'd like to point out that when you use my IDS, you'll get a set of signatures that I wanted to give you. You can certainly add your own with the Trons feature and other "protocol-field" capabilities we giveyou, and you can sometimes adjust the signatures, but you DON'T have thecomplete ability (like Snort) to arbitrarily change the signatures that I wrote for you. As you can expect, since I wrote the signatures in aspecific way, I believe that you'll get what you 'want' better out of myIDS than Snort, but it's certainly true that you have less ability to 'ask' my IDS to do something slightly different.
This is the basic difference between our approaches, I assumed that I know nothing about defending people's networks and you decided differently. My approach, for better or worse, assumes that the user knows what they're doing or can at least figure it out. I emphasized flexibility over other traits, but I thought (I believe rightly) that that is what people wanted.
I think this ultimately boils down to a religious argument, but it's certainly a valid one.
-Marty -- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Enterprise-class Snort-based IDS Infrastructure roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ---------------------------------------------------------------------------Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the worldÂs premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symanetc is the Diamond sponsor. Early-bird registration ends September 6 Visit: www.blackhat.com
---------------------------------------------------------------------------
Current thread:
- RE: Belaboring the point of FPs Graham, Robert (ISS Atlanta) (Aug 19)
- Re: Belaboring the point of FPs Martin Roesch (Aug 25)
- <Possible follow-ups>
- RE: Belaboring the point of FPs Bob Walder (Aug 25)