Snort mailing list archives
RE: How does snort do packet signature detection?
From: Hernan Bugallo <hernan_bugallo () speedy com ar>
Date: Thu, 02 Oct 2003 15:07:54 -0300
Is snort smart enough to search only an http attack signature inside the http packets or it checks it with other types of packets ? and maybe, be more granular, to inspect yust a few signatures related on the state of the conection and prótocol of each packet ?? Thanks in advance -----Mensaje original----- De: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] En nombre de Matt Kettler Enviado el: Jueves, 02 de Octubre de 2003 02:21 p.m. Para: Chhabria, Kavita - Apogent; 'snort-users () lists sourceforge net' Asunto: Re: [Snort-users] How does snort do packet signature detection? At 11:32 AM 10/2/2003, Chhabria, Kavita - Apogent wrote:
Can somebody please explain me in simple words, what is a packet signature or rather what is contained within a packet signature and why is it useful. How does an IDS detect an attack based on packet signatures? What information is the IDS looking for within a packet, when it says that is doing packet signature inspection?
Snort can inspect a wide variety of things about a packet. Header fields, port numbers, flags, and it can also do text searches on the packet data and it can track the state of TCP connections. In simplified terms typical IDS signatures are to look for things like: alert on anything from any port to tcp port 80, which is flowing to a server, which contains the string "/bin/sh" Which would look for someone sending a request to your webserver containing /bin/sh.. which is typical of a shell exploit of some sort. But the signatures can be written to look for just about anything, and are written from the study of exploitation of specific kinds of vulnerabilities. Common techniques for exploiting webservers, mailservers, dns servers, as well as some generic rules that look for typical exploit payloads like nop-sleds, execution of shells, etc. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- How does snort do packet signature detection? Chhabria, Kavita - Apogent (Oct 02)
- Message not available
- Re: How does snort do packet signature detection? Matt Kettler (Oct 02)
- RE: How does snort do packet signature detection? Hernan Bugallo (Oct 04)
- RE: How does snort do packet signature detection? Matt Kettler (Oct 02)
- Re: How does snort do packet signature detection? Matt Kettler (Oct 02)
- Message not available
- Re: How does snort do packet signature detection? james (Oct 02)