Re: [Snort-users] protocols decoded
This is a discussion on Re: [Snort-users] protocols decoded within the Snort forums, part of the System Security and Security Related category; jvarlet@aressi.fr wrote: > Hi, > > I would like to know how many protocols snort can decode. Some ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-10-2004
|
|||
|
|||
Re: [Snort-users] protocols decoded
jvarlet@aressi.fr wrote: > Hi, > > I would like to know how many protocols snort can decode. Some IDS (like ISS, > MacAfee,...) can decode more than 100 protocols. I saw that snort decode 3 > (tcp, udp, icmp); but how many protocols from network to application ? > > Thanks a lot ! > Snort does not have a number of supported protocols since protocol support is unlimited in theory. Snort does handle normalization of application protocols where necessary to make detection easier and rare cases where detection cannot easily be performed in rules. With the capabilities of byte_test, byte_jump, flowbits, PCRE, isdataat, content, distance, within, and ASN1 nearly all protocols and vulnerable conditions can be modeled in rules. It is possible to track arbitrary state transitions in any protocol and validate the conditions as they manifest on the wire. Have a look at a lot of the recent rules published for examples. Another consideration is that supporting XXX protocols adds significant complexity to the base product which increases risk and does not necessarily improve detection. A perfect case of this is the recent vulnerability in ISS where the witty worm exploited poor coding in the PAM module where by any traffic on a specific port was apparently considered ICQ, a crafty packet caused the system to effectively rm -rf / while attempting to spread. You also have to consider that protocol support is a smooth way of saying that we force you to inspect traffic by out interpretation of the protocol. What happens if that interpretation is incorrect or incomplete? Do you miss attacks? Do you need a full decoder regression and patch? Snort maintains it's simplicity by implementing this in rules and alleviates the burden of reverse engineering proprietary protocols needlessly when all you are really looking for is an exploitable condition. Do not confuse rules with signatures, rules are far more capable and complex and are capable of performing protocol decodes where needed when crafted by a skilled user. ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
