Re: [Snort-users] New Snort 2.2 Rules

This is partly correct. The flow preprocessor still handles keeping
track of a TCP connection's state & direction, as always. The
distinction you're seeing is that many older rules used things like
flags:AP to attempt to detect established connections -- not a
particularly reliable method, given that it's possible to set the ACK &
PUSH flags on a packet that is not part of an established TCP connection
-- while modern rules use the flow:established keyword/value pair to use
the capabilities of the flow preprocessor to do this type of checking.
Since the preprocessor is much, much more accurate when determining
connection state, it filters out an even larger number of malicious
packets which are not part of an existing TCP connection than flags:AP
or the like, and as a result your IDS will be correspondingly more quiet.

Alex Kirk
Research Analyst
Sourcefire, Inc.


> I've noticed the same thing in my configuration where Snort is much
> more quiet than it used to be... False positives and "noise" seem to
> be at a minimum now. This is definitely not at the expense of solid
> detection however. I really put Snort 2.4 through some heavy tests
> with Nessus and other tools, and it does detect everything just fine.
>
> In looking at the rules, I noticed that many of the rules now use the
> /flow:established/ option. I might be mistaken, but I don't think this
> was always the case with the rules. I think a preprocessor used to
> handle the flow conditions. In a rule with /flow:established/, Snort
> will only detect the anomalies that occur during an established
> connection. It doesn't alert on the packets that are simply aimed at
> your network segment, but not actually traversing an existing connection.
>
> Do I have this right?
>
> ------------------------------------------------------------------------
> *From:* snort-users-admin@lists.sourceforge.net
> [mailto:snort-users-admin@lists.sourceforge.net] *On Behalf Of *Walt Rich
> *Sent:* Wednesday, September 14, 2005 4:27 PM
> *To:* snort-users@lists.sourceforge.net
> *Subject:* [Snort-users] New Snort 2.2 Rules
>
> I updated the Snort rules to the latest available on Souceforge's
> site. They wre auite out of date, and almost a year old. Snort is up
> and running, but has become very queit! It used to detect alot of
> false positives, which were a pain, but at least I knew it was
> working. Now it is very, very quiet, and hasn't detected anything in
> over 2 hours. Is it possible that the rule writers have become so
> good that the detection of false positives has been almost
> eliminated? Has anyone else experienced anything similar? Any input
> is greatly appreciated.
>
> Thanks!
>
>
>
> Parago Logo
> ------------------------------------------------------------------------
> | *Walt Rich* | Sr. Network Engineer | Parago, Inc. | 972.538.7253 |
> walt.rich@parago.com <mailto:walt.rich@parago.com> |
>
>




-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users