Snort mailing list archives
Re: To check for current SNORT limitations in 2.9
From: Mike Stephanick <mike () nepageeks com>
Date: Mon, 30 Oct 2017 17:40:17 -0400
unsubscribe me from this. Mike Stephanick, IT Consultant nepageeks.com <http://nepageeks.com> NEPA Geeks LLC 237 Old River Road Suite A Wilkes-Barre, PA 18702 570.235.1946 <https://www.nepageeks.com/schedule/> Schedule an appointment online <https://www.nepageeks.com/schedule/> *CONFIDENTIALITY NOTICE: * *The contents of this email message and any attachments** are intended solely for the addressee(s) **and may contain confidential and/or privileged info**rmation and may be legally protected from **disclosure. If you are not the intended recipient o**f this message or their agent, or if this message **has been addressed to you in error, please immediat**ely alert the sender by reply email and then **delete this message and any attachments. If you are** not the intended recipient, you are hereby **notified that any use, dissemination, copying, or s**torage of this message or its attachments is **strictly prohibited. * On Mon, Oct 30, 2017 at 4:33 PM, Robert Muscat via Snort-users < snort-users () lists snort org> wrote:
Again, as long as it’s within context, I don’t see why they should not appear. ------------------------------ *From:* Snort-users <snort-users-bounces () lists snort org> on behalf of Joel Esler (jesler) via Snort-users <snort-users () lists snort org> *Sent:* Monday, October 30, 2017 7:50:23 PM *To:* DFIRob *Cc:* snort-users () lists snort org *Subject:* Re: [Snort-users] To check for current SNORT limitations in 2.9 Yeah. Unfortunately, about twice a year we get these requests.. *--* *Joel Esler *| *Talos:* Manager | jesler () cisco com On Oct 30, 2017, at 3:10 PM, DFIRob via Snort-users < snort-users () lists snort org> wrote: But that's just mean ;) On Mon, Oct 30, 2017 at 8:06 PM, Joel Esler (jesler) <jesler () cisco com> wrote:Also: https://snort.org/faq/can-i-have-help-with-my-homework *--* *Joel Esler *| *Talos:* Manager | jesler () cisco com On Oct 30, 2017, at 2:13 PM, DFIRob via Snort-users < snort-users () lists snort org> wrote: IMO: rule for a specific attack/policy, more efficient detection, lower false positives, Have nothing to do with Snort, and more to do with the ruleset (unless you're planning to write a preprocessor). Although some false positives could be reduced on the IDS side, false negative reduction (aka more efficient detection, in a way) could be an improvement to the snort engine. granular detection, What do you mean by that? use of less resources, Yeah, sure, that's a possible improvement to Snort. better administration. Maybe? Depends on what you define by administration... My 2 cents as a Snort user.. Rob' On Mon, Oct 30, 2017 at 4:47 PM, Robert Muscat via Snort-users < snort-users () lists snort org> wrote:I gathered it from some papers, the majority is from a particular paper. Can someone advise if any of these are relevant. Are there any more know issues? I need to find a niche area in SNORT where I can provide at least a minor enhancement for an undergraduate thesis, with an office environment as a scenario. Problem is I haven't yet decided on which area I shall focus ex. rule for a specific attack/policy, more efficient detection, use of less resources, lower false positives, granular detection, better administration. Unfortunately I have yet to use SNORT, but I also have to focus on an area where I can provide an improvement of some sort. I am aware that it is an open ended idea. Your feedback is highly appreciated. ------------------------------ *From:* Joel Esler (jesler) <jesler () cisco com> *Sent:* Monday, October 30, 2017 3:29 PM *To:* Robert Muscat *Cc:* snort-users () lists snort org *Subject:* Re: [Snort-users] To check for current SNORT limitations in 2.9 Where did this come from? *--* *Joel Esler *| *Talos:* Manager | jesler () cisco com On Oct 29, 2017, at 10:50 AM, Robert Muscat via Snort-users < snort-users () lists snort org> wrote: Hi, Can someone confirm which of the below problems are still persistent in the stable version (not 3.0) - Performance drops during heavy network traffic - Adding additional snort instances and modifying snort configurations can lead to mistake magnification. So experienced users only can use it. - Snort cannot detect UDP and TCP flooding attacks; it can only detect ICMP flooding attacks. - When snort is in its active detection mode it will utilize 100% CPU and will slow down the performance of the system to a greater extent. - In snort, graphical interface is not there by default and can be achieved only by adding extra plug-ins. - By default snort will not provide any anomaly detection and is purely a misuse based system. Extra plug-in is required. - While handling the normal traffic snort will process the packets at a slow phase. During a DoS and DDoS attack snort throughput increases drastically, but will drop large number of packet. - When the number of rules increases, memory utilization also increases and hence will take longer to initialize all the rules. - Snort checks each and every field specified in the rule and creates RTN, OTN for all the fields in the rule. Therefore it will decrease the processing throughput by performing several unnecessary comparisons with all the fields in the rule. - Snort is capable of detecting flooding attacks by default. If snort needs to be configured to detect other modes of attacks then the configuration file have to be changed which indeed is a tedious task. - Snort is purely an intrusion detection system and is not an intrusion prevention system. - Snort will start to drop the packets at a massive rate when the incoming packet rate is more.Therefore possibilities of detecting possible attack patterns are more since it fails to analyze those dropped packets. If there are more known issues, I appreciate you can forward them to me. Thanks in advance! _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/w hat-is-the-mailing-list-etiquette _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Re: To check for current SNORT limitations in 2.9 Robert Muscat via Snort-users (Oct 29)
- Re: To check for current SNORT limitations in 2.9 Joel Esler (jesler) via Snort-users (Oct 30)
- Re: To check for current SNORT limitations in 2.9 Robert Muscat via Snort-users (Oct 30)
- Re: To check for current SNORT limitations in 2.9 Joel Esler (jesler) via Snort-users (Oct 30)
- Re: To check for current SNORT limitations in 2.9 Marcin Dulak via Snort-users (Oct 30)
- Re: To check for current SNORT limitations in 2.9 DFIRob via Snort-users (Oct 30)
- Re: To check for current SNORT limitations in 2.9 Joel Esler (jesler) via Snort-users (Oct 30)
- Re: To check for current SNORT limitations in 2.9 DFIRob via Snort-users (Oct 30)
- Re: To check for current SNORT limitations in 2.9 Joel Esler (jesler) via Snort-users (Oct 30)
- Re: To check for current SNORT limitations in 2.9 Robert Muscat via Snort-users (Oct 30)
- Re: To check for current SNORT limitations in 2.9 Mike Stephanick (Oct 30)
- Re: To check for current SNORT limitations in 2.9 Joel Esler (jesler) via Snort-users (Oct 30)
- Re: To check for current SNORT limitations in 2.9 Robert Muscat via Snort-users (Oct 30)
- Re: To check for current SNORT limitations in 2.9 Joel Esler (jesler) via Snort-users (Oct 30)
- Re: To check for current SNORT limitations in 2.9 Robert Muscat via Snort-users (Oct 30)
- Message not available
- Message not available
- Message not available
- Re: To check for current SNORT limitations in 2.9 Robert Muscat via Snort-users (Oct 30)