Re: [Snort-users] protocols decoded
This is a discussion on Re: [Snort-users] protocols decoded within the Snort forums, part of the System Security and Security Related category; At 06:10 PM 8/9/2004, jvarlet@aressi.fr wrote: >I would like to know how many protocols ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-10-2004
|
|||
|
|||
Re: [Snort-users] protocols decoded
At 06:10 PM 8/9/2004, jvarlet@aressi.fr wrote:
>I would like to know how many protocols snort can decode. Some IDS (like ISS, >MacAfee,...) can decode more than 100 protocols. I saw that snort decode 3 >(tcp, udp, icmp); but how many protocols from network to application ? Full decode is AFAIK limited to just those three. However, there are plugins that do analysis and normalization of several other protocols (HTTP, Telnet, etc). As for the number of decoders being so small, I for one don't really see this as a substantial problem. Snort has TCP decode, and PCRE support. At that point do you really need SMTP decoding? It might make rule creation easier, but it doesn't add a whole lot of functionality for most protocols. (and snort has http_decode to normalize and preprocess http sessions, which definitely ARE complicated and worthy of decode). That said, snort's lack of decoders seems to be at least part of it's weaknesses, lack of good rules based on vulnerabilities, not signatures of a single exploit script. Snort has many good generalized rules, but it also has many that were quickly written from packet dumps and aren't going to detect exploits unless made from a particular script. This is an area of constant improvement in snort, but it's hardly complete. (This said, I've not examined the signature databases of many commercial products. They could be even worse) Other counter-points to consider are: 1) how flexible is the tool in creating rules for protocols with no decoder? Can you use regex syntax? multi-part content checks? decode of bytes in the data into numeric format and do > or < type comparisons? Just because one tool has more decoders than another doesn't make it a better tool. 2) what's the cost? Snort's a free download. Snort may be the ultimate IDS, but it's damn good, and in price/performance it's hard to match. And of course, take all of these in context of what your needs are. No IDS can be the perfect tool for every network. Look at the tools closely to try to find one that fits your needs. Snort's probably the best tool for the "I analyze attacks and write my own signatures" type user, but it's not well suited to the "I want to set it and forget it" type (no IDS is good for this, but some are much closer to this than the snort download is). ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
