Intrusion Detection Systems mailing list archives
Re: Problem in snort 1.3
From: rgula () network-defense com (Ron Gula)
Date: Mon, 25 Oct 1999 11:31:11 -0700
Hi, i think there's a problem in the new NISD called snort, It read, and apply rules in order but if one match, other are not considered. Look at this example... i put this two rules in order in my ruleset-fileFabio, not a bug, but standard procedure. Most alerting/firewalling software operates like this. For example, FW-1 and Cisco ACLs both filter and log based on the same principle. If an event generates an alert, that event is then dropped and no longer compared to any other rules. The last thing you want is multimple emails of the same event.
True, but someone source-routing a PHF attack or running it through fragrouter is a different event than just the PHF attack. If someone configures their IDS to ignore certain types of attacks, then all an attacker has to do to avoid the IDS is to make sure that portion of the attack triggers first and is subsequently ignored. With Dragon, every packet or data stream can have multiple events associated with it. Ron Gula Network Security Wizards
Current thread:
- reading signatures? matthew.fearnow () mcp com (Oct 22)
- Re: reading signatures? Trevor Schroeder (Oct 22)
- Problem in snort 1.3 Fabio Pietrosanti (Oct 24)
- Re: Problem in snort 1.3 H D Moore (Oct 24)
- Re: Problem in snort 1.3 Lance Spitzner (Oct 24)
- Re: Problem in snort 1.3 Ron Gula (Oct 25)
- Re: Problem in snort 1.3 Martin Roesch (Oct 25)
- Traffic Lister, Justin (Oct 25)
- Comparison of several IDS Lister, Justin (Oct 25)
- Re: reading signatures? H D Moore (Oct 24)
- <Possible follow-ups>
- RE: reading signatures? matthew.fearnow () mcp com (Oct 22)
- RE: reading signatures? Kim Robert Blix (Oct 25)
- Re: reading signatures? Robert Graham (Oct 22)
- RE: reading signatures? Alex.Senkevitch () midata com (Oct 27)
- RE: reading signatures? Ron Gula (Oct 27)