From what I can see by the snort.conf file, you seem to be missing a large
number of the rules files from the current ruleset. I don't know if this was
deliberate but this may be what is causing the difference in your observed
outputs from the various IDS's.

-----Original Message-----
From: n3m3s1shushmail.com [mailto:n3m3s1shushmail.com]
Sent: Wednesday, January 16, 2002 4:21 AM
To: FOCUS-IDSsecurityfocus.com
Subject: IDS bakeoff - help!

-----BEGIN PGP SIGNED MESSAGE-----

Hey everybody,
        I'm assisting a client with a IDS bakeoff and I'm getting less than
favorable results with Snort. Not that all the other vendors are screaming
meemees either, but I gotta be doing something wrong with snort. I posted
to the snort list and got some suggestions, but when I tried those
suggestions and responded with the results, I got nothing. So, I figured
I'd try this list. Rather than re-hash all the e-mail from the snort list,
I'll just give the basics:

Running Snort 1.8.3 on a Dual Pentium III 1.0GHz, w/ 512 M RAM and a
Syskonnect Gig card.
Red Hat Linux 7.2.

Traffic is real-world. Tons of Web, DNS, scans, you name it. The other
IDSs are alerting like mad. Started at like 120Mbit/s spiking to 150Mbit/s,
but some of the later tests were looking at roughly half that bandwidth.
Here is a mixture of suggested and my own commandlines I was running and the
results. This is pretty much verbatim to the post I made to the snort list.
I also posted my snort.conf - if anyone here would like to see it, I've put
it at the bottom.

>>Try using a snort commandline like
>>sbin/snort -A fast -b -l ./log -d -i eth1 and see what happens.

>This logged everything it saw to a time-stamped file. No alerts, but it
logged >every packet (0% packet loss). Encouraging.

>>try snort -dev -i eth2 to see full dumps of the traffic on your eth2
>>interface to make sure it can see everything

>Oh baby. Tons of stuff ;-)
>
>Other things I tried:
>
>1. snort -A fast -l ./log -d -i eth2 (for 1 minute)
> -MUCH logging, but dropped ~96.5% of traffic.
> "Snort analyzed 38950 out of 1117120 packets, dropping 1078170
(96.513%) >packets."
> -also, while I had almost 8,000 IP directories in ./logs, the alerts file
is 0 >length. Am I not
>doing pattern matching here? It didn't seem to read my snort.conf...
>
>2. snort -A fast -l ./log -d -i eth2 -c ./snort.conf (for 1 minute)
> -generated ~1600 alerts of which 99% were ICMP Dest. Unreachables. The
other >1% were Bad Traffic (loopback source address). There is much web,
dns, scans >and other stuff in this traffic.
> "Snort analyzed 762866 out of 1110037 packets, dropping 347171 (31.276%)
>packets."
> -This was with the default ruleset (884 rules).
>
>3. Repeated same test as #2, but with only web rules loaded [499 rules] (1
>minute).
> -0 alerts
> "Snort analyzed 733682 out of 1119517 packets, dropping 385835
(34.464%)."
>4. Ran same test as #3, except I changed the http_decode preprocessor to:
80 >-cginull (removed -unicode) in the hopes that it would catch something
unicode. > I also tried using the unicode preprocessor and my notes here are
a little >fuzzy. I'm showing on one of the tests that I had 103 alerts, but
I don't know >which preprocessor. Sorry. Anyway, the 103 alerts were all
Unicode Directory
>Traversal alerts, but didn't show the actual attack. I went in and looked
at >the logged packets and there were definitely WEB-IIS cmd.exe and other
things >in there, but didn't get alerted.
>
>For pretty much all the the tests, it appeared that either the 1)
signatures >aren't being compared against (i.e. only preprocessor type
alerts) or 2) I can >only have 1 alerts per packet (some IDSs are like this,
is snort?). My guess >is that it's the former instead of the latter. Right
now, Snort is not keeping >up with the other 3 IDSs being tested, so I'm
relying on you guys to keep me >from shooting myself in the foot!! I know
I'm just doing something wrong, I've >seen plenty of posts in the archives
where people are using Snort at much >higher bandwidth than what I'm looking
at.

Can anyone offer any assistance or (at the least) support the results I'm
seeing? The client is kind of looking at me since I suggested bringing
Snort into the mix (they were initially only looking at commercial
products). I'm trying not to look back.

Tahnks,

Norm

$ cat snort.conf |grep -vE "^$|^#"

var HOME_NET 10.0.0.0/8
var EXTERNAL_NET any
var SMTP $HOME_NET
var HTTP_SERVERS $HOME_NET
var SQL_SERVERS $HOME_NET

var DNS_SERVERS $HOME_NET
preprocessor frag2
preprocessor stream4: detect_scans
preprocessor stream4_reassemble
preprocessor http_decode: 80 -unicode -cginull
preprocessor rpc_decode: 111
preprocessor bo: -nobrute
preprocessor telnet_decode
preprocessor portscan: $HOME_NET 4 3 portscan.log
include classification.config
include web-cgi.rules
include web-coldfusion.rules
include web-frontpage.rules
include web-iis.rules
include web-misc.rules
include web-attacks.rules

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAjxFbi8VHG4zbTNzMXNAaHVzaG1haWwuY29tAAoJEFhAkA76am0fKxUA
nRdaBHyXAwvL/VBAhoDd/Ta1Bvp5AKCAAgpyUt/rIN69ePtuxPy7BNiVAA==
=K1eO
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]