Re: insertion and evasion

[Saad Kadhi <bsdguy () docisland org>]

On Thu, 2002-04-18 at 15:02, Federico Lombardo wrote:
> So, snort can in any case protect our nids structure from evasion and insertion techniques ?
what did you mean by "protect our nids structure" ? Snort is a nids and
it can detect and sense network probes, signatures, ...etc using a
signature database and preprocessors. It is not designed to protect or
at least it is not its primary goal. This task is usually delegated to
firewalls. 

If you meant to ask if Snort is not sensible to evasion and insertion.
Then the answer is "it depends". Snort is not sensible to most of the
known techniques (at least, it'll be in a few days after Dug's post to
focus-ids & Dragos's answer). But it might be sensible to other
techniques. As other IDSes such as Dragon are. *sigh* this is life !

> Can snort preprocessors do that ?
stream4 & the other bunch can help out for sure. I also advise you to
put some kind of a packet normalizer or scrubber (for example, an
invisible openbsd pf bridge) in front of the nids.


-- 
Saad -- [pgp keyid: 35592A6D http://pgp.mit.edu]
# booth slave for hire


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users