eturnerINTRUSION.COM

• Next message: Ron Gula: "Re: Symantec IDS Experts????????????????????"
• Previous message: Ron Gula: "Re: Symantec IDS Experts????????????????????"
• Maybe in reply to: Dumb User: "Symantec IDS Experts????????????????????"
• Next in thread: Keiji Takeda: "Re: Symantec IDS Experts????????????????????"
• Next in thread: Ron Gula: "Re: Symantec IDS Experts????????????????????"
• Maybe reply: Elliot Turner: "Re: Symantec IDS Experts????????????????????"
• Reply: Keiji Takeda: "Re: Symantec IDS Experts????????????????????"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----Original Message-----
>Good luck arguing this point guys! Although I will say that
>most of the information posted by Intrusion.Com about Snort
>is incorrect. Last I checked, it implemented defrag (thanks
>to Dragos) and also had one of the more advanced port scan
>detectors in any IDS I knew of (from Silcon Defense).

Ron,

If you review my post regarding Snort, you'll see that I never once claimed
that Snort
didn't do IP fragment reassembly, and that I didn't make any claims
regarding port-scan detection.

I did claim that Snort is based on ages-old technology. And I stand by this
claim. Various
reasons include:

 - Snort is based on simple network-grep IDS technology. Network-grep can
be easily fooled
   and is surpassed by today's more advanced state-based protocol decoding
techniques. Network
   grep methods are also highly prone to false positives, and not suitable
for detecting intrusions
   which involve multiple dis-jointed steps.

 - Snort is vulnerable to many evasion techniques that were described years
ago. Fragment reassembly
   (only recently added, though the fragment-based evasion has been a
well-known attack for years)
   was only recently added. In addition, the fragment reassembly system
doesn't allow one to specify
   Windows/*NIX reassembly methods for individual hosts on a network. This
means that even with the
   new fragment reassembly code, it's still vulnerable to fragment evasion
attacks.

 - The Snort site claims that it doesn't even do TCP stream reassembly.
This is something that was available
   in even the first-generation commercial IDS offerings quite a number of
years ago. Streams reassembly is
   a basic feature that should be a part of any IDS. It reduces the
complexity of performing attack evasion
   to the skill level of a BSD sockets programmer. If this has recently
changed, they should update their
   site to reflect the fact.

I hope this information is useful.
Thx,

Elliot

• Next message: Ron Gula: "Re: Symantec IDS Experts????????????????????"
• Previous message: Ron Gula: "Re: Symantec IDS Experts????????????????????"
• Maybe in reply to: Dumb User: "Symantec IDS Experts????????????????????"
• Next in thread: Keiji Takeda: "Re: Symantec IDS Experts????????????????????"
• Next in thread: Ron Gula: "Re: Symantec IDS Experts????????????????????"
• Maybe reply: Elliot Turner: "Re: Symantec IDS Experts????????????????????"
• Reply: Keiji Takeda: "Re: Symantec IDS Experts????????????????????"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]