Snort mailing list archives

Can snort be smarter?

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Tue, 2 Jul 2002 09:43:40 +1200

There's a thread over in Security-Focus-IDS ("Crying wolf:") where people
are bemoaning the amount of false-positives that IDSes generate. 

One thing missing from Snort would be the ability for it to recognise the
difference between (say) a CodeRed attempt against an IIS and an Apache
server.

With stateful packet reassembly, would it be possible to match on the return
packets in the same rule? e.g.

content: "/script.exe?"; content: "Server: Microsoft-IIS"

That way you'd only get an alert on application-specific attacks when
they're against that particular application.

I realise that some would still want to know about ALL attacks - but that
could be dealt with by  the above rule being an "alert", followed by the
same rule without the "Server: Microsoft-IIS" bit being a "log".

Apparently this is a feature NFR has.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Can snort be smarter? Jason Haar (Jul 01)
- <Possible follow-ups>
- RE: Can snort be smarter? Kevin Brown (Jul 01)
  - Re: Can snort be smarter? Jason Haar (Jul 01)