RE: New Snort 2.2 Rules

["Andre' M. DiMino" <tsamp77 () optonline net>]

Alex,

Thank you for clearing this up.. The new flow preprocessor is certainly much
more powerful and flexible than before. 
The newer rule set and Snort's overall performance really shines now.

Thanks again,

Andre'




-----Original Message-----
From: Alex Kirk [mailto:alex.kirk () sourcefire com] 
Sent: Wednesday, September 14, 2005 6:03 PM
To: Andre' M. DiMino; snort-users () lists sourceforge net
Subject: Re: [Snort-users] New Snort 2.2 Rules

This is partly correct. The flow preprocessor still handles keeping track of
a TCP connection's state & direction, as always. The distinction you're
seeing is that many older rules used things like flags:AP to attempt to
detect established connections -- not a particularly reliable method, given
that it's possible to set the ACK & PUSH flags on a packet that is not part
of an established TCP connection
-- while modern rules use the flow:established keyword/value pair to use the
capabilities of the flow preprocessor to do this type of checking. 
Since the preprocessor is much, much more accurate when determining
connection state, it filters out an even larger number of malicious packets
which are not part of an existing TCP connection than flags:AP or the like,
and as a result your IDS will be correspondingly more quiet.

Alex Kirk
Research Analyst
Sourcefire, Inc.


> I've noticed the same thing in my configuration where Snort is much 
> more quiet than it used to be... False positives and "noise" seem to 
> be at a minimum now. This is definitely not at the expense of solid 
> detection however. I really put Snort 2.4 through some heavy tests 
> with Nessus and other tools, and it does detect everything just fine.
>
> In looking at the rules, I noticed that many of the rules now use the 
> /flow:established/ option. I might be mistaken, but I don't think this 
> was always the case with the rules. I think a preprocessor used to 
> handle the flow conditions. In a rule with /flow:established/, Snort 
> will only detect the anomalies that occur during an established 
> connection. It doesn't alert on the packets that are simply aimed at 
> your network segment, but not actually traversing an existing connection.
>
> Do I have this right?
>
> ------------------------------------------------------------------------
> *From:* snort-users-admin () lists sourceforge net 
> [mailto:snort-users-admin () lists sourceforge net] *On Behalf Of *Walt Rich
> *Sent:* Wednesday, September 14, 2005 4:27 PM
> *To:* snort-users () lists sourceforge net
> *Subject:* [Snort-users] New Snort 2.2 Rules
>
> I updated the Snort rules to the latest available on Souceforge's 
> site.  They wre auite out of date, and almost a year old.  Snort is up 
> and running, but has become very queit!  It used to detect alot of 
> false positives, which were a pain, but at least I knew it was 
> working.  Now it is very, very quiet, and hasn't detected anything in 
> over 2 hours.  Is it possible that the rule writers have become so 
> good that the detection of false positives has been almost 
> eliminated?  Has anyone else experienced anything similar?  Any input 
> is greatly appreciated.
>  
> Thanks!
>  
>
>       
> Parago Logo
> ------------------------------------------------------------------------
> | *Walt Rich* | Sr. Network Engineer | Parago, Inc. | 972.538.7253 | 
> walt.rich () parago com <mailto:walt.rich () parago com> |
>
>  





-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users