Snort mailing list archives

(no subject)

From: Blake Frantz <blake () mc net>
Date: Tue, 31 Jul 2001 09:56:19 -0500


http://snort.protected.host.com/test-cgi/../[insert your favourite iis

exploit]


This sample triggers the "WEB-CGI test-cgi access" rule, while the real

exploit

doesn't get logged.


In this example, the 2nd exploit would be logged as part of the
packet payload captured by the 1st matching rule.
  
I don't see this as a design flaw.  IMHO the IDS worked properly; It 
let you know something "bad" was happening.  It's the analysts job to
make sense of the events that are actually transpiring...IDS systems
are not meant to be managed by an individual or team that merely looks at 
the alert description and neglects the data within the captured packet.

Lets pretend for a minute that Snort *does* check every packet against
every rule regardless of match.  What prevents h4x0r_b0b from crafting     
spoofed packets that contains 50 signatures and floods your net with em,
effectively filling your IDS logs with a bunch of crap.  In the interim  
h4x0r_b0b attacks one of your servers.  Now, Analyst_Jim thinks the IDS
broke and starts deleting alerts haphazardly.  h4x0r_b0b effectively   
filled your IDS, hid his attack, and ruined Analyst_Jim's day.  Where is
the flaw in this scenario?  Analyst_Jim wasn't thorough in his work and   
missed the attack.  Same goes with the situation you mention as a "flaw."
The
IDS isn't the flaw, the flaw resides within the person managing the data  
provided by the IDS.  In any event, I would rather have my IDS report on a
one-rule basis than run the risk of h4x0r_b0b crafting the aforementioned  
packets and sending them in my direction.

Blake Frantz  A+, CNA, CCNA, MCSE
Network Security Analyst
mc.net
720 Industrial Drive #121
Cary, IL 60013
phn: (847)-594-5111 x5734
fax: (847)-639-0097
mailto:blake () mc net
http://www.mc.net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject) Андрей Иванов (Jul 02)
- <Possible follow-ups>
- (no subject) cboy (Jul 09)
  - Re: (no subject) Blake Frantz (Jul 09)
    - Re: (no subject) Dragos Ruiu (Jul 09)
- (no subject) John Johnson (Jul 10)
  - RE: (no subject) Bill Gercken (Jul 11)
  - Re: (no subject) Phil Wood (Jul 11)
- (no subject) Randall Paige (Jul 12)
- (no subject) Blake Frantz (Jul 31)
  - Re: (no subject) Niek Jongerius (Aug 01)
- (no subject) Anupam Bansal (Aug 03)
  - Re: (no subject) Dragos Ruiu (Aug 03)
- (no subject) Patrick W Bass (Aug 03)
- (no subject) Scott Phelps (Aug 07)
- (no subject) Delfim Machado (Aug 09)
- (no subject) Erik (Aug 12)
- (no subject) Bill Rogers (Aug 16)
- RE: (no subject) Bill Rogers (Aug 17)
- (no subject) Patrick W Bass (Aug 24)

(Thread continues...)