OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] Top 5 best and worst things about snort
From: Martin Roesch (roeschhiverworld.com)
Date: Mon Mar 20 2000 - 11:57:31 CST

I'm headed to Florida in 30 minutes, but I thought I'd answer quickly
here. (Full answers to follow later).

Stuart Staniford-Chen wrote:
>
> We don't just need to add signatures (though that is very valuable
> too). We need to figure out how to help people know which ones to turn
> on, and we need a way, as a community, to figure out which ones are
> really useful, and which ones to get rid of because they are duds.

Yup, I'm all for that. The big problem is figuring out what a good
conservative rules set is for *everyone*. :)

> I looked into this possibility extensively last weekend (and wrote a
> message about it). "Offset" doesn't buy you much (since the Request URL
> usually starts only 5 or 6 bytes into the message anyway). Using
> "depth" is very dangerous because Apache (at least) will accept
> arbitrary amounts of whitespace between "GET" and the request URL. So
> if snort signatures have "depth 50" in them, all the attacker needs to
> do is "GET <50 spaces here> /reallybadURL" and we're hosed.

It'd be trivial to modify the http_decode preprocessor to remove
extraneous whitespace and format URI's into well formed, consistent
strings. 

-- 
Martin Roesch                      <roeschhiverworld.com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment