Re: protocols decoded

[Martin Roesch <roesch () sourcefire com>]

Snort decodes/recognizes the following protocols "natively":

Link Layer:
Ethernet
802.11
Raw
Null/loopback
Token Ring
FDDI
Linux SLL
PF log (OpenBSD)
PPPoE
PPP
SLIP
I4L
HDLC

Network Layer:
IPv4
ARP

Transport Layer:
TCP
UDP
ICMP

Other:
EAPOL (802.1x)
EAP (802.1x)
802.1q

At the application layer, we currently have analysis and normalization 
for ASN.1, Telnet, Sun RPC, and HTTP.  All other application layer 
protocols are handled in the rules language currently.  Not to be zen 
or anything, but Snort's rules language allows us to "decode" (analyze) 
all protocols by decoding no protocols.  We can even look at 
non-TCP/UDP/ICMP transport layer protocols using the IP protocol option 
in rules and selecting protocols using the ip_proto keyword.

The side effect of this design is that it's "safe", we can write rules 
to provide protocol analysis all day long without worrying about buffer 
overflows in the protocol decoders.  Less code = more safety, the 
design and implementation is simple and rugged (apart from some 
problems we had early last year) and also allows us to handle emerging 
threats for protocols that are emerging concerns (like DCERPC) without 
necessarily having to force everyone through an upgrade cycle.

Anyway, this is kind of a philosophical discussion.  I'm happy with the 
design we've got now although some more preprocessors to handle certain 
app layer protocols are definitely on the drawing boards.

    -Marty


On Aug 9, 2004, at 10:10 PM, jvarlet () aressi fr wrote:

> Hi,
>
> I would like to know how many protocols snort can decode. Some IDS 
> (like ISS,
> MacAfee,...) can decode more than 100 protocols. I saw that snort 
> decode 3
> (tcp, udp, icmp); but how many protocols from network to application ?
>
> Thanks a lot !
>
>
>
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users