OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Symantec IDS Experts????????????????????
From: Fyodor (fygraveTIGERTEAM.NET)
Date: Wed Oct 18 2000 - 06:40:08 CDT

On Wed, Oct 18, 2000 at 10:17:57AM +0900, Keiji Takeda wrote:
> - Snort is based on simple network-grep IDS technology. Network-grep can
> >be easily fooled
>
> That is true.

 Just to keep you guys up to date, silicondefense guys have recently written a spade plugin for snort which actually does some anomaly detection as well. We can not call snort an anomaly detection based IDS, but we aren't only pattern matching piece anymore either.

> > - Snort is vulnerable to many evasion techniques that were described years
> >ago. Fragment reassembly
> > (only recently added, though the fragment-based evasion has been a
> >well-known attack for years)

yeah, but snort is barelly older than two years as well. it takes time to develop code, right :)
> > was only recently added. In addition, the fragment reassembly system
> >doesn't allow one to specify
> > Windows/*NIX reassembly methods for individual hosts on a network. This
> >means that even with the
> > new fragment reassembly code, it's still vulnerable to fragment evasion
> >attacks.

Good spot. I will pass the idea to Dragos :)

> > - The Snort site claims that it doesn't even do TCP stream reassembly.

This piece is beta-testing now (in cvs, will be included in 1.7 as well)

> > in even the first-generation commercial IDS offerings quite a number of
> >years ago. Streams reassembly is

Eh? :) ISS brought IP fragments reassembly only in version 5.x, not sure if they do tcp reassembly on the moment. (anyone can comment this?)

Feel free to drop any other questions/comments/whishlist to snort-users or snort-devel at lists.sourceforge.net by the way. Would be appreciated mucho :)

-Fyodor 

--
Beware of altruism.  It is based on self-deception, the root of all
evil.