Snort mailing list archives

Re: What's the fuss about string matching ?

From: Andreas Östling <andreaso () it su se>
Date: Tue, 28 May 2002 07:20:00 +0200 (CEST)


On Mon, 27 May 2002, Pawel Rogocz wrote:

I have troubles seeing any use of string matching in IDS because of two
factors:


Short answer: It really works.
Seriously, you are making a lot of assumptions here.

1. Lots of traffic is encrypted these days.


I would not agree on that one, unfortunately.

But even if the traffic is encrypted - does that make string matching IDS
completely useless? If your answer was "yes", you'd better think again.

- Watching for cleartext strings in protocols that should be encrypted can
  actually be an excellent way of finding anomalies.

- For many encrypted protocols, the most complex part (i.e. likely to
  contain bugs) is the initial connection/authentication phase where the
  encrypted channel is perhaps not yet completely established, and the
  exploit will be sent in cleartext.

- Even if the exploit itself is sent encrypted, it doesn't
  automatically mean the possible response is.

For example, many people said string matching on SSH traffic was
totally useless. Then the CRC compensation attacks showed up, where
most (all?) the exploits including their responses were sent in the clear
and easily detected by using simple string matching. (How often should you
normally see "uid=0(root)" going out from port 22/tcp from a host on your
network?)
I hardly think this was the last bug of this kind.

2. What's the point in watching for a known vulnerability, if you know
your system is not vulnerable ? Do you want to be woken up at 3 a.m.
because someone sent you a malformed packet ? Given the fact that all
alerts in snort are based on known vulnerabiliies, you should patch your
systems or take them off-line.


Not entirely true. Many of the Snort signatures are designed to be
more generic than just watching for the exact pattern of a publicy known
exploit. I of course agree that all systems should be patched though, but
we all know that's not the case, even though yours and mine hopefully are.
One big problem here is that many peoply watch very large networks where
they don't have control over every single host.

And even if you think your system is patched, you (or your updating
software) can always make misstakes. I've seen several skilled
system administrators' hosts being cracked even though they were
absolutely sure they had the latest security patches installed. And if
physical security of a host isn't good, someone may locally install
backdoors or remove security patches etc, and then go home and continue
his/her work. Point is that there are endless reasons to watch for
suspicious traffic from/to a patched system. (This is of course not
limited to string matching.)

It's also quite useful to get an idea of what attackers are trying to do
with your hosts, even though you are not vulnerable.

Generally string matching is waste of CPU cycles, better used somewhere
else. How about detecting (D)DOS ?


I think you're making one big misstake here.
Why use only ONE intrusion detection method?
Just because we love Snort (or other string matching capable proggies)
doesn't mean we think it's the right tool or method for everything.
DDoS bots can sometimes be found by string matching and also by bandwidth
monitoring, so why not use both?

The most important point here is that string matching is just a part of
the whole picture. Sometimes it's extremely useful and sometimes it's not.

It would be more effective for an IDS to alert when a succesful intrusion
was detected, but in many environments this can easily be done
with a sniffer like tcpdump.


Sure, but on large and fast networks it's nice to get a little extra help.


Regards,
Andreas Östling


_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

What's the fuss about string matching ? Pawel Rogocz (May 27)
- Re: What's the fuss about string matching ? Jason Haar (May 27)
- Re: What's the fuss about string matching ? Andreas Östling (May 27)
- Re: What's the fuss about string matching ? Frank Knobbe (May 28)