Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: What's the fuss about string matching ?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 28 May 2002 09:41:55 +1200
On Mon, May 27, 2002 at 12:46:30PM -0700, Pawel Rogocz wrote:

1. Lots of traffic is encrypted these days.
2. What's the point in watching for a known vulnerability, if you know
your system is not vulnerable ? Do you want to be woken up at 3 a.m.
because someone sent you a malformed packet ? Given the fact that all 
alerts in snort are based on known vulnerabiliies, you should patch your
systems or take them off-line.


Big assumption there. Most large networks have multiple owners of the kit in
DMZs/etc. As such, it cannot be assumed that they *all* are upgraded
immediately after an exploit is discovered. In fact, the reality is that
most of the business owners aren't even up to the task... :-(

None of this applies to people on this list of course :-)

What you find is that people suddenly get frightened and act when they hear
that someone is knocking on the door. That is the up-side to running an IDS.
It's still commonly believed that no-one will have a go at "our box" as
"there are more interesting targets out there". Obviously with automated
attacks that is erroneous - but it's still thought of that way :-(


It would be more effective for an IDS to alert when a succesful intrusion 
was detected, but in many environments this can easily be done 
with a sniffer like tcpdump.


Absolutely. I for one do both. Standard firewalls are great at blocking AND
LOGGING attempts from DMZ hosts to make network connections they're not
meant to ever need to do (more specifically, make a network connection other
than those allowed...)

...but lay off the "active" IDSes as a means of thwarting attacks. Boy, was
my face red when I discovered the reason why our internal staff couldn't
upload a particular binary to their own DMZ Web server was because Snort
thought it was a trojan - and RSET it ;-) ("I don't understand, it gets
1.2Mb into the upload and then dies - every time!!!") ;-)

-- 
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: