Snort mailing list archives
Re: protocols decoded
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 11 Aug 2004 17:05:31 -0400
Snort decodes/recognizes the following protocols "natively": Link Layer: Ethernet 802.11 Raw Null/loopback Token Ring FDDI Linux SLL PF log (OpenBSD) PPPoE PPP SLIP I4L HDLC Network Layer: IPv4 ARP Transport Layer: TCP UDP ICMP Other: EAPOL (802.1x) EAP (802.1x) 802.1qAt the application layer, we currently have analysis and normalization for ASN.1, Telnet, Sun RPC, and HTTP. All other application layer protocols are handled in the rules language currently. Not to be zen or anything, but Snort's rules language allows us to "decode" (analyze) all protocols by decoding no protocols. We can even look at non-TCP/UDP/ICMP transport layer protocols using the IP protocol option in rules and selecting protocols using the ip_proto keyword.
The side effect of this design is that it's "safe", we can write rules to provide protocol analysis all day long without worrying about buffer overflows in the protocol decoders. Less code = more safety, the design and implementation is simple and rugged (apart from some problems we had early last year) and also allows us to handle emerging threats for protocols that are emerging concerns (like DCERPC) without necessarily having to force everyone through an upgrade cycle.
Anyway, this is kind of a philosophical discussion. I'm happy with the design we've got now although some more preprocessors to handle certain app layer protocols are definitely on the drawing boards.
-Marty On Aug 9, 2004, at 10:10 PM, jvarlet () aressi fr wrote:
Hi,I would like to know how many protocols snort can decode. Some IDS (like ISS, MacAfee,...) can decode more than 100 protocols. I saw that snort decode 3(tcp, udp, icmp); but how many protocols from network to application ? Thanks a lot ! ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- protocols decoded jvarlet (Aug 09)
- Re: protocols decoded Matt Kettler (Aug 09)
- Re: protocols decoded security () brvenik com (Aug 09)
- Re: protocols decoded Martin Roesch (Aug 11)