Snort mailing list archives
Re: protocols decoded
From: "security () brvenik com" <security () brvenik com>
Date: Tue, 10 Aug 2004 01:15:05 -0400
jvarlet () aressi fr wrote:
Hi, I would like to know how many protocols snort can decode. Some IDS (like ISS, MacAfee,...) can decode more than 100 protocols. I saw that snort decode 3 (tcp, udp, icmp); but how many protocols from network to application ? Thanks a lot !
Snort does not have a number of supported protocols since protocol support is unlimited in theory. Snort does handle normalization of application protocols where necessary to make detection easier and rare cases where detection cannot easily be performed in rules.
With the capabilities of byte_test, byte_jump, flowbits, PCRE, isdataat, content, distance, within, and ASN1 nearly all protocols and vulnerable conditions can be modeled in rules. It is possible to track arbitrary state transitions in any protocol and validate the conditions as they manifest on the wire. Have a look at a lot of the recent rules published for examples.
Another consideration is that supporting XXX protocols adds significant complexity to the base product which increases risk and does not necessarily improve detection. A perfect case of this is the recent vulnerability in ISS where the witty worm exploited poor coding in the PAM module where by any traffic on a specific port was apparently considered ICQ, a crafty packet caused the system to effectively rm -rf / while attempting to spread.
You also have to consider that protocol support is a smooth way of saying that we force you to inspect traffic by out interpretation of the protocol. What happens if that interpretation is incorrect or incomplete? Do you miss attacks? Do you need a full decoder regression and patch?
Snort maintains it's simplicity by implementing this in rules and alleviates the burden of reverse engineering proprietary protocols needlessly when all you are really looking for is an exploitable condition. Do not confuse rules with signatures, rules are far more capable and complex and are capable of performing protocol decodes where needed when crafted by a skilled user.
------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- protocols decoded jvarlet (Aug 09)
- Re: protocols decoded Matt Kettler (Aug 09)
- Re: protocols decoded security () brvenik com (Aug 09)
- Re: protocols decoded Martin Roesch (Aug 11)