Snort mailing list archives
Re: insertion and evasion
From: Saad Kadhi <bsdguy () docisland org>
Date: 18 Apr 2002 16:21:42 +0200
On Thu, 2002-04-18 at 15:02, Federico Lombardo wrote:
So, snort can in any case protect our nids structure from evasion and insertion techniques ?
what did you mean by "protect our nids structure" ? Snort is a nids and it can detect and sense network probes, signatures, ...etc using a signature database and preprocessors. It is not designed to protect or at least it is not its primary goal. This task is usually delegated to firewalls. If you meant to ask if Snort is not sensible to evasion and insertion. Then the answer is "it depends". Snort is not sensible to most of the known techniques (at least, it'll be in a few days after Dug's post to focus-ids & Dragos's answer). But it might be sensible to other techniques. As other IDSes such as Dragon are. *sigh* this is life !
Can snort preprocessors do that ?
stream4 & the other bunch can help out for sure. I also advise you to put some kind of a packet normalizer or scrubber (for example, an invisible openbsd pf bridge) in front of the nids. -- Saad -- [pgp keyid: 35592A6D http://pgp.mit.edu] # booth slave for hire _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- insertion and evasion Federico Lombardo (Apr 18)
- Re: insertion and evasion Saad Kadhi (Apr 18)