Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: protocols decoded

From: "security () brvenik com" <security () brvenik com>
Date: Tue, 10 Aug 2004 01:15:05 -0400


jvarlet () aressi fr wrote:


Hi,

I would like to know how many protocols snort can decode. Some IDS (like ISS,
MacAfee,...) can decode more than 100 protocols. I saw that snort decode 3
(tcp, udp, icmp); but how many protocols from network to application ?

Thanks a lot !
Snort does not have a number of supported protocols since protocol support is unlimited in theory. Snort does handle normalization of application protocols where necessary to make detection easier and rare cases where detection cannot easily be performed in rules.
With the capabilities of byte_test, byte_jump, flowbits, PCRE, isdataat, content, distance, within, and ASN1 nearly all protocols and vulnerable conditions can be modeled in rules. It is possible to track arbitrary state transitions in any protocol and validate the conditions as they manifest on the wire. Have a look at a lot of the recent rules published for examples.
Another consideration is that supporting XXX protocols adds significant complexity to the base product which increases risk and does not necessarily improve detection. A perfect case of this is the recent vulnerability in ISS where the witty worm exploited poor coding in the PAM module where by any traffic on a specific port was apparently considered ICQ, a crafty packet caused the system to effectively rm -rf / while attempting to spread.
You also have to consider that protocol support is a smooth way of saying that we force you to inspect traffic by out interpretation of the protocol. What happens if that interpretation is incorrect or incomplete? Do you miss attacks? Do you need a full decoder regression and patch?
Snort maintains it's simplicity by implementing this in rules and alleviates the burden of reverse engineering proprietary protocols needlessly when all you are really looking for is an exploitable condition. Do not confuse rules with signatures, rules are far more capable and complex and are capable of performing protocol decodes where needed when crafted by a skilled user. 



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: