keijiSFC.KEIO.AC.JP

• Next message: Mark Teicher: "Re: Symantec IDS Experts????????????????????"
• Previous message: Ron Gula: "Re: Symantec IDS Experts????????????????????"
• In reply to: Elliot Turner: "Re: Symantec IDS Experts????????????????????"
• Next in thread: Mark Teicher: "Re: Symantec IDS Experts????????????????????"
• Next in thread: Ron Gula: "Re: Symantec IDS Experts????????????????????"
• Reply: Keiji Takeda: "Re: Symantec IDS Experts????????????????????"
• Reply: Mark Teicher: "Re: Symantec IDS Experts????????????????????"
• Reply: Keiji Takeda: "Re: Symantec IDS Experts????????????????????"
• Reply: Fyodor: "Re: Symantec IDS Experts????????????????????"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

Elliot Turner san wrote on Tue, 17 Oct 2000 18:23:00 -0500
>
>I did claim that Snort is based on ages-old technology. And I stand by this
>claim. Various
>reasons include:

From my experience, commercial IDSs are not always better than Snort or other
open source IDSs(including my pakemon ;-).

Even though it is for commercial, some current IDSs still have only
ages-lod technology in your term.

For instance, even the product that has the largest share in the market,
has implemented the packet reconstruction function this year.

My understanding is now the market is shifting toward second generation IDS
products that do packet reassembly and state analysis or application layer
analysis.

As Elliot denoted current open source IDSs are based on the first generation IDS
technology.
However, even commercial IDSs barely entered in the second generation recently.

About the speed of the evolution, Snort has more potential in my feeling.

> - Snort is based on simple network-grep IDS technology. Network-grep can
>be easily fooled

That is true.
This situation is same to some first generation IDS products.

> - Snort is vulnerable to many evasion techniques that were described years
>ago. Fragment reassembly
> (only recently added, though the fragment-based evasion has been a
>well-known attack for years)
> was only recently added. In addition, the fragment reassembly system
>doesn't allow one to specify
> Windows/*NIX reassembly methods for individual hosts on a network. This
>means that even with the
> new fragment reassembly code, it's still vulnerable to fragment evasion
>attacks.
> - The Snort site claims that it doesn't even do TCP stream reassembly.
>This is something that was available
> in even the first-generation commercial IDS offerings quite a number of
>years ago. Streams reassembly is
> a basic feature that should be a part of any IDS. It reduces the
>complexity of performing attack evasion
> to the skill level of a BSD sockets programmer. If this has recently
>changed, they should update their
> site to reflect the fact.

These also are true.
However, most commercial IDS also implemented their reassemble code
recently.

>I hope this information is useful.

I hope so too.

Keiji Takeda ( http://www.sfc.keio.ac.jp/~keiji/ )

• Next message: Mark Teicher: "Re: Symantec IDS Experts????????????????????"
• Previous message: Ron Gula: "Re: Symantec IDS Experts????????????????????"
• In reply to: Elliot Turner: "Re: Symantec IDS Experts????????????????????"
• Next in thread: Mark Teicher: "Re: Symantec IDS Experts????????????????????"
• Next in thread: Ron Gula: "Re: Symantec IDS Experts????????????????????"
• Reply: Keiji Takeda: "Re: Symantec IDS Experts????????????????????"
• Reply: Mark Teicher: "Re: Symantec IDS Experts????????????????????"
• Reply: Keiji Takeda: "Re: Symantec IDS Experts????????????????????"
• Reply: Fyodor: "Re: Symantec IDS Experts????????????????????"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]