Snort mailing list archives

Re: (no subject)

From: Niek Jongerius <niek () dupaco nl>
Date: Wed, 1 Aug 2001 11:03:37 +0200 (CEST)

http://snort.protected.host.com/test-cgi/../[insert your
favourite iis exploit]

This sample triggers the "WEB-CGI test-cgi access" rule, while
the real exploit doesn't get logged.


In this example, the 2nd exploit would be logged as part of the
packet payload captured by the 1st matching rule.
  
I don't see this as a design flaw.  IMHO the IDS worked properly; It 
let you know something "bad" was happening.  It's the analysts job to
make sense of the events that are actually transpiring...IDS systems
are not meant to be managed by an individual or team that merely looks at 
the alert description and neglects the data within the captured packet.

:
: <stuff deleted>
:

The IDS isn't the flaw, the flaw resides within the person managing the data  
provided by the IDS.  In any event, I would rather have my IDS report on a
one-rule basis than run the risk of h4x0r_b0b crafting the aforementioned  
packets and sending them in my direction.


Both opinions have their merits IMHO.

  - Especially if an admin rates some type of attack as "not so bad"
    (and has decided to log instead of alert), chances are he could
    miss the second, more serious attack. That could be a bad thing(TM).

  - On the other hand, the admin should be knowledgeable, and should
    be able to detect the real attack when the first rule fired by
    checking the data.

As with lots of situations, it is probably a case of agree to
disagree. Some of us don't want to possibly miss an attack, and others
don't want to clog logs with multiple detections of attacks. This
could of course be handled by an extra option to snort to enable
scanning for more than one signature in a packet if this feature seems
desirable enough.

Niek.


Meganet heeft DE oplossing om de data op uw
Laptop en/of desktop te beveiligen!!
(http://www.dupaco.nl/meganet.htm)

*******************************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
*******************************************************************************

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject) Андрей Иванов (Jul 02)
- <Possible follow-ups>
- (no subject) cboy (Jul 09)
  - Re: (no subject) Blake Frantz (Jul 09)
    - Re: (no subject) Dragos Ruiu (Jul 09)
- (no subject) John Johnson (Jul 10)
  - RE: (no subject) Bill Gercken (Jul 11)
  - Re: (no subject) Phil Wood (Jul 11)
- (no subject) Randall Paige (Jul 12)
- (no subject) Blake Frantz (Jul 31)
  - Re: (no subject) Niek Jongerius (Aug 01)
- (no subject) Anupam Bansal (Aug 03)
  - Re: (no subject) Dragos Ruiu (Aug 03)
- (no subject) Patrick W Bass (Aug 03)
- (no subject) Scott Phelps (Aug 07)
- (no subject) Delfim Machado (Aug 09)
- (no subject) Erik (Aug 12)
- (no subject) Bill Rogers (Aug 16)
- RE: (no subject) Bill Rogers (Aug 17)
- (no subject) Patrick W Bass (Aug 24)
- (no subject) John (Aug 26)

(Thread continues...)