Snort mailing list archives
another question
From: "Shafer, Troy" <tshafer () laurel k12 ky us>
Date: Mon, 16 Dec 2002 14:57:42 -0500
I found this code on the net for logging aim traffic... alert tcp any any -> any 5190 (msg:"AIM Message"; content:"HTML";) my first question, does this actually log the content of the messages and two how would I implement this with snort... write a .rules file... then put and include in the the snort.conf? Still trying to figure this snort thing out... Troy Shafer Network Engineer Laurel County Schools 606-862-4616 tshafer () laurel k12 ky us -----Original Message----- From: snort-users-request () lists sourceforge net [mailto:snort-users-request () lists sourceforge net] Sent: Monday, December 16, 2002 1:49 PM To: snort-users () lists sourceforge net Subject: Snort-users digest, Vol 1 #2587 - 8 msgs Send Snort-users mailing list submissions to snort-users () lists sourceforge net To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/snort-users or, via email, send a message with subject or body 'help' to snort-users-request () lists sourceforge net You can reach the person managing the list at snort-users-admin () lists sourceforge net When replying, please edit your Subject line so it is more specific than "Re: Contents of Snort-users digest..." Today's Topics: 1. Re: Exclude IP addresses for all rules (Jens Krabbenhoeft) 2. writing to DB (only!) (Eduard San Anselmo Mateu) 3. RE: DB ERROR (Luo, Philip) 4. Ignorehosts, once again (Marc Quibell) 5. Newbie (Shafer, Troy) 6. Update (=?iso-8859-1?q?Luiz=20Alberto=20Cataldo=20Jr?=) 7. Re: Snort-users digest, Vol 1 #2581 - 7 msgs (Robert Young) 8. RE: New Trend: Intrusion Prevention (Sheahan, Paul (PCLN-NW)) --__--__-- Message: 1 Date: Mon, 16 Dec 2002 09:11:15 +0100 From: Jens Krabbenhoeft <tschenz-snort-users () noris net> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Exclude IP addresses for all rules Hi,
I want to exclude IP addresses in my home net from being watched at all.
As you write 'being watched at all' the best thing to do is to ignore the IPs via BPF. Have a look at Erek Adams post: http://marc.theaimsgroup.com/?l=snort-users&m=102347618314311&w=2 Try starting snort with "snort -options.... not host 192.168.1.1 and not host 192.168.1.2".
var HOME_NET [!$EXCLUDE,192.168.1.0/24]
The problem is, that you have an ORed list in HOME_NET. !192.168.1.1 OR 192.168.1.0/24 matches on all IPs in 192.168.1.0/24. Have a look at my last week's post at http://marc.theaimsgroup.com/?l=snort-users&m=103942066423750&w=2 HTH, Jens --__--__-- Message: 2 Date: Mon, 16 Dec 2002 12:04:29 +0100 From: Eduard San Anselmo Mateu <esananselmo () albasoft com> To: snort-users () lists sourceforge net Subject: [Snort-users] writing to DB (only!) Hi everyone, I think I can't get to understand the way snort stores information, i.e. output plugins. The thing is that I would like snort to only store information in the database (so I set the database output plugin with log(?)...), but I don't want any information being written to a file (so I put -A none on the command line, is it right?). Of course, the output database plugin is the only one I have uncommented at the conf file, so snort should only log to the database, but I get the message "WARNING: command line overrides rules file alert plugin", and I've read that snort won't log to the database when this message shows up. So what am I doing wrong? Could anyone point me to a doc where output plugins are explained? Thanks in advance. Eduard --__--__-- Message: 3 From: "Luo, Philip" <Philip_Luo () adp com> To: 'Steve Suehring' <snort () braingia org> Cc: snort-users () lists sourceforge net Subject: RE: [Snort-users] DB ERROR Date: Mon, 16 Dec 2002 08:43:07 -0500 There is no error when I tried mysql -u snort -p snort, Then I tried the rest, here is what I got, mysql> show grants for snort@localhost; +--------------------------------------------------------------------------- ---- -----------------------------------------------------+ | Grants for snort@localhost | +--------------------------------------------------------------------------- ---- -----------------------------------------------------+ | GRANT SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES ON *.* TO 'snort'@' localhost' IDENTIFIED BY PASSWORD '1e6b29186dd45e97' | | GRANT SELECT, INSERT, DELETE, CREATE ON `snort`.* TO 'snort'@'localhost' | +--------------------------------------------------------------------------- ---- -----------------------------------------------------+ 2 rows in set (0.00 sec) mysql> show grants for snort@127.0.0.1; +--------------------------------------------------------------------------- ---- -----------------------------------------------------+ | Grants for snort@127.0.0.1 | +--------------------------------------------------------------------------- ---- -----------------------------------------------------+ | GRANT SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES ON *.* TO 'snort'@' 127.0.0.1' IDENTIFIED BY PASSWORD '1e6b29186dd45e97' | | GRANT SELECT, INSERT, DELETE, CREATE ON `snort`.* TO 'snort'@'127.0.0.1' | +--------------------------------------------------------------------------- ---- -----------------------------------------------------+ 2 rows in set (0.00 sec) -----Original Message----- From: Steve Suehring [mailto:snort () braingia org] Sent: Friday, December 13, 2002 10:13 AM To: Luo, Philip Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] DB ERROR Can you try doing something like this from the command-line: mysql -u snort -p snort Then see what error and/or error number you get. Also, from with the MySQL CLI (as root): show grants for snort@localhost; show grants for snort@127.0.0.1; Steve On Fri, Dec 13, 2002 at 09:20:46AM -0500, Luo, Philip wrote:
I did, no luck. I modifies the hosts file too. -----Original Message----- From: Jens Krabbenhoeft [mailto:tschenz-snort-users () noris net] Sent: Thursday, December 12, 2002 11:36 AM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] DB ERROR Hi,grant INSERT,SELECT,CREATE,DELETE on snort.* to snort@localhost
identified
^^^^^^^^^Database ERROR:Database ERROR:Access denied for user: 'snort@127.0.0.1'
to
^^^^^^^^^ Try doing a grant for snort@127.0.0.1 HTH, Jens ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
--__--__-- Message: 4 From: "Marc Quibell" <mquibell () fbfs com> To: snort-users () lists sourceforge net Date: Mon, 16 Dec 2002 08:29:32 -0600 Subject: [Snort-users] Ignorehosts, once again OK, got another implementation of SNort. Now I forgot how I got it to ignore certain SOURCE IPs (such as using the DNS_SERVERS variable. I know there is a syntax issue with this. WHat is the exact way to ignore a host source? I currently have: var DNS_SERVERS [207.108.40.###,207.108.40.###] preprocessor portscan-ignorehosts: $DNS_SERVERS THis does not work. I've seen several variations, none of which work: It still gets alerts from these hosts. TIA Marc --__--__-- Message: 5 From: "Shafer, Troy" <tshafer () laurel k12 ky us> To: "'snort-users () lists sourceforge net'" <snort-users () lists sourceforge net> Date: Mon, 16 Dec 2002 10:12:07 -0500 Subject: [Snort-users] Newbie This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C2A515.7F7A8F70 Content-Type: text/plain Hello, I recently became the network engineer of Laurel County Schools. As part of my job, I am trying to implement some security and logging abilities to the network. We are using Snort 1.9 for Windows. I have a problem getting it to run in NDIS... C:\Snort>snort -c chat.conf -l c:\snort\log Initializing Output Plugins! Log directory = c:\snort\log Initializing Network Interface \ --== Initializing Snort ==-- Decoding Ethernet on interface \Device\NPF_{A4116FF7-6102- } Initializing Preprocessors! Initializing Plug-ins! Parsing Rules file chat.conf +++++++++++++++++++++++++++++++++++++++++++++++++++ Initializing rule chains... ERROR => Undefined variable name: (chat.conf:10): HOME_NET Fatal Error, Quitting.. C:\Snort> Basically I am just trying to load the rules for chat clients and it keeps giving me this error. I tried to debug the code, but I am not sure of all what is going inside the ruleset. Can anyone help me? Also if I'm sending this to the wrong place I'm sorry. If there is a more appropriate place I would appreciate the link. Troy Shafer Network Engineer Laurel County Schools 606-862-4616 tshafer () laurel k12 ky us <mailto:tshafer () laurel k12 ky us> ------_=_NextPart_001_01C2A515.7F7A8F70 Content-Type: text/html Content-Transfer-Encoding: quoted-printable <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DProgId content=3DWord.Document> <meta name=3DGenerator content=3D"Microsoft Word 10"> <meta name=3DOriginator content=3D"Microsoft Word 10"> <link rel=3DFile-List href=3D"cid:filelist.xml@01C2A4EB.D57AF470"> <!--[if gte mso 9]><xml> <o:OfficeDocumentSettings> <o:DoNotRelyOnCSS/> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:WordDocument> <w:SpellingState>Clean</w:SpellingState> <w:GrammarState>Clean</w:GrammarState> <w:DocumentKind>DocumentEmail</w:DocumentKind> <w:EnvelopeVis/> <w:Compatibility> <w:BreakWrappedTables/> <w:SnapToGridInCell/> <w:WrapTextWithPunct/> <w:UseAsianBreakRules/> </w:Compatibility> <w:BrowserLevel>MicrosoftInternetExplorer4</w:BrowserLevel> </w:WordDocument> </xml><![endif]--> <style> <!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-parent:""; margin:0in; margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-fareast-font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline; text-underline:single;} span.EmailStyle17 {mso-style-type:personal-compose; mso-style-noshow:yes; mso-ansi-font-size:10.0pt; mso-bidi-font-size:10.0pt; font-family:Arial; mso-ascii-font-family:Arial; mso-hansi-font-family:Arial; mso-bidi-font-family:Arial; color:windowtext;} span.SpellE {mso-style-name:""; mso-spl-e:yes;} span.GramE {mso-style-name:""; mso-gram-e:yes;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in; mso-header-margin:.5in; mso-footer-margin:.5in; mso-paper-source:0;} div.Section1 {page:Section1;} --> </style> <!--[if gte mso 10]> <style> /* Style Definitions */=20 table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman";} </style> <![endif]--> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple = style=3D'tab-interval:.5in'> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Hello, I recently became the network engineer of = Laurel County Schools.<span style=3D'mso-spacerun:yes'> </span>As part = of my job, I am trying to implement some security and logging abilities to the = network. We are using Snort 1.9 for Windows.<span style=3D'mso-spacerun:yes'> = </span>I have a problem getting it to run in NDIS... = <o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>C:\Snort>snort -c <span = class=3DSpellE>chat.conf</span> -l c:\snort\log<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Initializing Output <span = class=3DSpellE>Plugins</span>!<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Log directory =3D = c:\snort\log<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Initializing Network Interface = \<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><span style=3D'mso-spacerun:yes'> = </span>--=3D=3D Initializing Snort =3D=3D--<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Decoding Ethernet on interface = \Device\NPF_{A4116FF7-6102-<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>}<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Initializing = Preprocessors!<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Initializing Plug-ins!<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Parsing Rules file <span = class=3DSpellE>chat.conf</span><o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>+++++++++++++++++++++++++++++++++++++++++++++++++++<o= :p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Initializing rule = chains...<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>ERROR =3D> Undefined variable name: = (chat.conf:10): HOME_NET<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Fatal Error, Quitting<span = class=3DGramE>..</span><o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>C:\Snort><o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Basically I am just trying to load the rules for = chat clients and it keeps giving me this error.<span = style=3D'mso-spacerun:yes'> </span>I tried to debug the code, but I am not sure of all what is = going inside the <span class=3DSpellE>ruleset</span>.<span = style=3D'mso-spacerun:yes'> </span>Can anyone help me?<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Also if I'm sending this to the wrong place I'm sorry.<span style=3D'mso-spacerun:yes'> </span>If there is a more appropriate place I would appreciate the = link.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><strong><b><font size=3D4 color=3Dnavy = face=3DArial><span style=3D'font-size:13.5pt;font-family:Arial;color:navy;mso-no-proof:yes'=
Troy
Shafer</span></font></b></strong><span = style=3D'mso-no-proof:yes'><o:p></o:p></span></p> <p class=3DMsoNormal><font size=3D3 color=3Dnavy face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:navy;mso-no-proof:yes'>Network = Engineer</span></font><span style=3D'mso-no-proof:yes'><o:p></o:p></span></p> <p class=3DMsoNormal><font size=3D3 color=3Dnavy face=3DArial><span = style=3D'font-size: 12.0pt;font-family:Arial;color:navy;mso-no-proof:yes'>Laurel County = Schools</span></font><span style=3D'mso-no-proof:yes'><o:p></o:p></span></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt;mso-no-proof:yes'> <o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy;mso-no-proof:yes'>606-862-4616</span=
</font><span
style=3D'mso-no-proof:yes'><o:p></o:p></span></p> <p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span = style=3D'font-size: 10.0pt;font-family:Arial;color:navy;mso-no-proof:yes'><a href=3D"mailto:tshafer () laurel k12 ky us">tshafer () laurel k12 ky us</a></s= pan></font><o:p></o:p></p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'><o:p> </o:p></span></font></p> </div> </body> </html> ------_=_NextPart_001_01C2A515.7F7A8F70-- --__--__-- Message: 6 Date: Mon, 16 Dec 2002 13:23:10 -0300 (ART) From: =?iso-8859-1?q?Luiz=20Alberto=20Cataldo=20Jr?= <cataldo_jr () yahoo com br> To: Snort Lista <snort () yahoogroups com>, Snort List <snort-users () lists sourceforge net> Subject: [Snort-users] Update --0-1253038778-1040055790=:55614 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi guys, how can I make to configure the automatic update of the Snort ? Thanks, Luiz --------------------------------- Busca Yahoo! O melhor lugar para encontrar tudo o que vocĂȘ procura na Internet --0-1253038778-1040055790=:55614 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit <P>Hi guys, how can I make to configure the automatic update of the Snort ?</P> <P>Thanks,</P> <P>Luiz</P><p><br><hr size=1><b><a href="http://br.busca.yahoo.com/">Busca Yahoo! </a></b><br> O melhor lugar para encontrar tudo o que vocĂȘ procura na Internet --0-1253038778-1040055790=:55614-- --__--__-- Message: 7 Date: Mon, 16 Dec 2002 10:01:09 -0800 From: Robert Young <kwailoe () pacbell net> To: snort-users () lists sourceforge net Subject: [Snort-users] Re: Snort-users digest, Vol 1 #2581 - 7 msgs You wrote: Message: 1 From: "Don" <Don () WeberOnTheWeb com> To: <snort-users () lists sourceforge net> Date: Fri, 13 Dec 2002 10:54:14 -0800 Subject: [Snort-users] stopping snort Has anyone found a way to stop snort, automatically, what i want to do is have snort stop, if it gets more than 'x' alerts in a single hour, or some time frame, then of course email me that it has stopped. i do go to syslog with alerts. any suggestions. I have a particular sensor that periodically starts alerting on something, that just causes a round robin effect, and fills up the logs with the same error over and over and over, it gets really boring actually. 'if' i can open the log. the logs have became as large as 2gig on occasion. #!/bin/sh # Robert Young # start and stop snort IDS # chkconfig: 345 85 15 # Starts and stops snort -swiped from init.d # processname: snort # pidfile: /var/run/IDS.pid # Source function library . /etc/rc.d/init.d/functions # See how we were called case "$1" in start) echo -n "Starting IDS: " /usr/local/snort -A full -D -c /etc/rules/snort.conf echo touch /var/lock/susbsys/IDS pidof snort > /var/run/IDS.pid ;; stop) echo -n " Shutting down IDS: " [ -f /var/run/IDS.pid ] && { kill -9 `cat .var/run/IDS.pid` exho -n IDS } echo rm -f /var/lock/susbsys/IDS rm -f /var/run/IDS.pid ;; status) status IDS ;; restart) $0 stop $0 start ;; *) echo "Usage: {start | stop | restart | status}" exit 1 esac exit 0 make the script executable and place it in /etc/rc.d/init.d. You may be able to write a script that reacts to certain conditions. for example I have used swatch to monitor my alert logs and page me when it detects hostile traffic exiting my network. swatch can excute the above script as well. You will need to edit the obvious commands to fit your set up. This has worked with red hat 7.3 Bob Young --__--__-- Message: 8 From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com> To: "'Martin Roesch'" <roesch () sourcefire com> Cc: "Snort List (E-mail)" <snort-users () lists sourceforge net> Subject: RE: [Snort-users] New Trend: Intrusion Prevention Date: Mon, 16 Dec 2002 13:48:33 -0500 Hi Marty, Thanks for the feedback. I totally agree with your view on this. I definitely don't see IPS replacing IDS myself either. I can see IPS complementing IDS but that's about it. Giga Research was at Infosec 2002 in New York and they and others mentioned several times when speaking about security trends that IDS will be replaced by IPS. They even went as far as to say if you haven't started a corporate IDS installation at your company, to hold off and look at IPS. See their website where they have articles speaking about this (www.gigaweb.com). Another interesting speech at Infosec 2002 by Counterpane's Bruce Schneier also backs up our view on this issue. He stated several times that prevention is always the preferred security method over detection, BUT, prevention will ALWAYS fail at some point, so detection will always be needed as a backup. Paul Sheahan Manager of Information Security Priceline.com paul.sheahan () priceline com -----Original Message----- From: Martin Roesch [mailto:roesch () sourcefire com] Sent: Friday, December 13, 2002 5:21 PM To: Sheahan, Paul (PCLN-NW) Cc: Snort List (E-mail) Subject: Re: [Snort-users] New Trend: Intrusion Prevention Hi Paul, I went into this on the Focus-IDS mailing list a month or so ago. Basically, I believe IPS to be more of a threat to (or the future of) firewalls. Network intrusion prevention devices sit in-line and provide permit/deny access control for packet streams based on whether or not they're attacks. Presumably it would be relatively easy as a subset of functionality to add stateful packet filtering that's just as good or better than any existing firewalling mechanisms. Netscreen and Checkpoint have figured this out which is why you see them making aggressive moves in the IPS space. Intrusion detection devices have a VERY different role in the network security hierarchy, they provide *awareness* of what's happening on your network, verification of policy compliance and detection of potential threats and anomalies. Let me lay out two scenarios that illustrate why intrusion prevention != intrusion detection and why it's unlikely that IPS will ever replace IDS (and how everyone who's trying to tell you it will is trying to sell you something): 1) IPS devices only guard the peering points (at best) of the network. In the case of an attack between hosts on the same broadcast network (inside the peering point) you have absolutely no coverage from the IPS. In that case you'll need to have an IDS to tell you what's going on. For example, someone in engineering decides to give him self a raise by hacking into the accounting department and making it so, your IPS has no visibility into this traffic so it's quite worthless. Your IDS can see this traffic, however, and collect the relevant information for detection/enforcement of policy and evidence for law enforcement. 2) No IPS is going to be perfect, so attacks are going to slip through them. It can be attacks that they don't know about (new buffer overflows, etc) or even traffic that's legitimate but hostile in your environment, like non-anonymous logins to your anonymous FTP server. If an attack gets by an IDS, how will you know? You better have a pretty good IDS to tell you, that's how. There are several other things I could highlight, but I think this illustrates the point pretty well and it's Friday and late and I feel like going home. :) -Marty On Friday, December 13, 2002, at 12:30 PM, Sheahan, Paul (PCLN-NW) wrote:
I attended Infosecurity 2002 yesterday and there was much talk about intrusion detection going away, and intrusion prevention replacing it. Does anyone know if there are any plans to include intrusion prevention functionality into Snort in the future? Thanks, Paul Sheahan Manager of Information Security Priceline.com paul.sheahan () priceline com ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Snort-based Enterprise Intrusion Detection Infrastructure roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org --__--__-- _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-users End of Snort-users Digest ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- another question Shafer, Troy (Dec 16)
- Re: another question twig les (Dec 16)