Snort mailing list archives
Re: What's the fuss about string matching ?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 28 May 2002 09:41:55 +1200
On Mon, May 27, 2002 at 12:46:30PM -0700, Pawel Rogocz wrote:
1. Lots of traffic is encrypted these days. 2. What's the point in watching for a known vulnerability, if you know your system is not vulnerable ? Do you want to be woken up at 3 a.m. because someone sent you a malformed packet ? Given the fact that all alerts in snort are based on known vulnerabiliies, you should patch your systems or take them off-line.
Big assumption there. Most large networks have multiple owners of the kit in DMZs/etc. As such, it cannot be assumed that they *all* are upgraded immediately after an exploit is discovered. In fact, the reality is that most of the business owners aren't even up to the task... :-( None of this applies to people on this list of course :-) What you find is that people suddenly get frightened and act when they hear that someone is knocking on the door. That is the up-side to running an IDS. It's still commonly believed that no-one will have a go at "our box" as "there are more interesting targets out there". Obviously with automated attacks that is erroneous - but it's still thought of that way :-(
It would be more effective for an IDS to alert when a succesful intrusion was detected, but in many environments this can easily be done with a sniffer like tcpdump.
Absolutely. I for one do both. Standard firewalls are great at blocking AND LOGGING attempts from DMZ hosts to make network connections they're not meant to ever need to do (more specifically, make a network connection other than those allowed...) ...but lay off the "active" IDSes as a means of thwarting attacks. Boy, was my face red when I discovered the reason why our internal staff couldn't upload a particular binary to their own DMZ Web server was because Snort thought it was a trojan - and RSET it ;-) ("I don't understand, it gets 1.2Mb into the upload and then dies - every time!!!") ;-) -- Cheers Jason Haar Information Security Manager Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What's the fuss about string matching ? Pawel Rogocz (May 27)
- Re: What's the fuss about string matching ? Jason Haar (May 27)
- Re: What's the fuss about string matching ? Andreas Östling (May 27)
- Re: What's the fuss about string matching ? Frank Knobbe (May 28)