Re: How does snort do packet signature detection?

[Matt Kettler <mkettler () evi-inc com>]

At 11:32 AM 10/2/2003, Chhabria, Kavita - Apogent wrote:
> Can somebody please explain me in simple words, what is a packet signature 
> or rather what is contained within a packet signature and why is it 
> useful.  How does an IDS detect an attack based on packet 
> signatures?  What information is the IDS looking for within a packet, when 
> it says that is doing packet signature inspection?

Snort can inspect a wide variety of things about a packet. Header fields, 
port numbers, flags, and it can also do text searches on the packet data 
and it can track the state of TCP connections.

In simplified terms typical IDS signatures are to look for things like:

 alert on anything from any port to tcp port 80, which is flowing to a 
server, which contains the string "/bin/sh"

Which would look for someone sending a request to your webserver containing 
/bin/sh.. which is typical of a shell exploit of some sort.

But the signatures can be written to look for just about anything, and are 
written from the study of exploitation of specific kinds of 
vulnerabilities. Common techniques for exploiting webservers, mailservers, 
dns servers, as well as some generic rules that look for typical exploit 
payloads like nop-sleds, execution of shells, etc.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users