Snort mailing list archives
Re: "trons" Rules
From: Fyodor <fygrave () tigerteam net>
Date: Sat, 2 Mar 2002 18:33:12 +0700
so, lets discuss BlackICE protocol-analysis versus snort protocol-analysis here on this list. I think this would be a proper discussion, comparing things that are compareable ;-)I still dont know the difference in detail! In the 0103cansec.ppt doc Mr. Graham writes: "What is protocol-analysis? It is not a database of signatures! Yes, about half the intrusions detected are based on a pattern, but it is an exact match."
My understanding (not what mr. Graham probably thinks, but could be similar): protocol analysis is when you take apart a protocol, analyse each field within the communication, track the state of the protocol communication with 'watched' hosts, and yell an alert if something that you notice, looks fishy. i.g. erroneously long fields in protocol 'values' (long usernames in FTP, community strings in snmp), binary data where ascii-only is expected, ascii data, where numeric only data is expected, unusual occurences/sequences of commands within the protocol (i.g. smtp is usually helo --> mail from--> rcpt to-->data-->quit, if someone has sequential helo, mail from, vrfy, quit chances that he is pockinga round with smth). etc.. protocol analysis (imho) is a module which takes alot of work (and cpu(!)) and is somewhere in between the signature matching and anomaly detection methods..
is, that snort does not decode all the "higher OSI layer protocols" that BlackICE decodes.
Wouldn't know whether BlackICE actually does what it claims, but true, currently snort mostly 'normalizes' some application-level protocols data, before the signatures could be matched, without keep a track on the protocol state, or anything that bad guys could mock around. Snort2.x will be able to do more here, but as of the moment it is still coming(tm)! :-)
As far as I know, the only application snort currently decodes is FTP. Is this correct?
Don't think so.. rpc preproc, http preproc/unicode, telnet preproc: these could be the prototypes of protocol analyzers. just my $0.02 -- http://www.notlsd.net PGP fingerprint = 56DD 1511 DDDA 56D7 99C7 B288 5CE5 A713 0969 A4D1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- "trons" Rules dr . kaos (Feb 28)
- RE: "trons" Rules Jason Lewis (Feb 28)
- <Possible follow-ups>
- RE: "trons" Rules Lampe, John W. (Mar 01)
- RE: "trons" Rules Jeff Dell (Mar 01)
- Re: "trons" Rules Jeff Nathan (Mar 02)
- Re: "trons" Rules dr . kaos (Mar 01)
- RE: "trons" Rules Jeff Dell (Mar 01)
- RE:"trons" Rules counter . spy (Mar 01)
- RE:"trons" Rules counter . spy (Mar 02)
- Re: "trons" Rules Fyodor (Mar 02)
- RE:"trons" Rules counter . spy (Mar 02)
- RE: "trons" Rules Kohlenberg, Toby (Mar 02)
- Re: "trons" Rules Fyodor (Mar 03)