Snort mailing list archives

Re: "trons" Rules

From: Fyodor <fygrave () tigerteam net>
Date: Sat, 2 Mar 2002 18:33:12 +0700

so, lets discuss BlackICE protocol-analysis versus snort protocol-analysis
here on this list. I think this would be a proper discussion, comparing
things that are compareable ;-)


I still dont know the difference in detail! In the 0103cansec.ppt doc Mr.
Graham writes:

"What is protocol-analysis?
It is not a database of signatures!
Yes, about half the intrusions detected are based on a pattern, but it is an
exact match."


My understanding (not what mr. Graham probably thinks, but could be
similar): protocol analysis is when you take apart a protocol, analyse
each field within the communication, track the state of the protocol
communication with 'watched' hosts, and yell an alert if something that
you notice, looks fishy. i.g. erroneously long fields in protocol
'values' (long usernames in FTP, community strings in snmp), binary data
where ascii-only is expected, ascii data, where numeric only data is
expected, unusual occurences/sequences of commands within the protocol
(i.g. smtp is usually helo --> mail from--> rcpt to-->data-->quit, if
someone has sequential helo, mail from, vrfy, quit chances that he is
pockinga round with smth). etc.. protocol analysis (imho) is a module
which takes alot of work (and cpu(!)) and is somewhere in between the
signature matching and anomaly detection methods..

is, that snort does not decode all the "higher OSI layer protocols" that
BlackICE decodes.


Wouldn't know whether BlackICE actually does what it claims, but true,
currently snort mostly 'normalizes' some application-level protocols
data, before the signatures could be matched, without keep a track on
the protocol state, or anything that bad guys could mock around.

Snort2.x will be able to do more here, but as of the moment it is still coming(tm)! :-)

As far as I know, the only application snort currently decodes is FTP.
Is this correct?


Don't think so.. rpc preproc, http preproc/unicode, telnet preproc:
these could be the prototypes of protocol analyzers.


just my $0.02
-- 
http://www.notlsd.net
PGP fingerprint = 56DD 1511 DDDA 56D7 99C7  B288 5CE5 A713 0969 A4D1

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

"trons" Rules dr . kaos (Feb 28)
- RE: "trons" Rules Jason Lewis (Feb 28)
- <Possible follow-ups>
- RE: "trons" Rules Lampe, John W. (Mar 01)
  - RE: "trons" Rules Jeff Dell (Mar 01)
    - Re: "trons" Rules Jeff Nathan (Mar 02)
  - Re: "trons" Rules dr . kaos (Mar 01)
- RE:"trons" Rules counter . spy (Mar 01)
  - RE:"trons" Rules counter . spy (Mar 02)
    - Re: "trons" Rules Fyodor (Mar 02)
- RE: "trons" Rules Kohlenberg, Toby (Mar 02)
  - Re: "trons" Rules Fyodor (Mar 03)