IDS mailing list archives
Re: BARE BYTE UNICODE ENCODING
From: nick black <dank () suburbanjihad net>
Date: Mon, 7 Jun 2004 15:59:14 +0000 (UTC)
On 2004-06-05, Martin Roesch <roesch () sourcefire com> wrote:
the fall of 2002 (version 1.9.0), in the current shipping ruleset there are 10 (out of 2500+) rules that still use A+ for whatever reason. I wouldn't exactly call that "permeating". Back before Snort had TCP
The amount of work that's gone into this is impressive and well-appreciated! It seems only a few months ago the A+ method was in widespread usage -- the short lag between expansion of the rule syntax and the far more arduous task of converting hundreds of rules speaks well of snort's development practices.
I think most people can agree that recent versions of Snort with mechanisms like pcre, byte_test/jump, flowbits and the flow keywords provide us with vastly improved and much more precise analysis capabilities over what we had even 18 months ago. We are highly
I most certainly agree with you; it took time, however, for the rulebase to take advantage of the new features (understandably, given the breadth of CVS's rules). Unfortunately, it's hard to undo years of widespread techniques in the google era, no matter how deprecated, and rule writers of less elan are likely to cling on. This is no knock at snort, just a general lament. The A+ stopgap indeed gave early snort incarnations more information, and correct info in the general case, but surely many of those who pondered its purpose took away incomplete assumptions regarding intrusion detection...c'est la vie.
looked at Snort in a couple years you should probably check out 2.1.3 and especially check out the rules (like the rules we used to pick up LSASS.EXE attacks) and see how far it's come.
Well the multipattern matching additions were some fine work, as well :).
Are you talking about the Snort 2.X detection engine or just in general?
I was mainly being snippy, quite frankly. I apologize for the childish digs at a great example of open source and your creative joy; it had been an evening of wearisome debugging indeed. -- nick black <dank () reflexsecurity com> "np: nondeterministic polynomial-time the class of dashed hopes and idle dreams." - the complexity zoo --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- BARE BYTE UNICODE ENCODING Annie Green (Jun 01)
- Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)
- Network Traffic Flow learning and Simulation Mayank-Bhatnagar (Jun 18)
- RE: BARE BYTE UNICODE ENCODING Omar Herrera (Jun 02)
- Re: BARE BYTE UNICODE ENCODING nick black (Jun 04)
- Re: BARE BYTE UNICODE ENCODING Martin Roesch (Jun 07)
- Re: BARE BYTE UNICODE ENCODING nick black (Jun 07)
- RE: BARE BYTE UNICODE ENCODING Omar Herrera (Jun 07)
- Re: BARE BYTE UNICODE ENCODING Nigel Houghton (Jun 08)
- Re: BARE BYTE UNICODE ENCODING nick black (Jun 04)
- Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)
- <Possible follow-ups>
- Re: BARE BYTE UNICODE ENCODING Annie Green (Jun 02)
- Re: BARE BYTE UNICODE ENCODING Adam Baldwin (Jun 02)