NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2000-11

Subject: Re: [Snort-users] reputation
From: Martin Roesch (roeschmd.prestige.net)
Date: Mon Nov 20 2000 - 21:48:44 CST

Next message: Dr SuSE: "[Snort-users] Scanning for trojans..sure ya are!"
Previous message: Vitaly McLain: "Re: [Snort-users] CGI Null Byte Attack"
In reply to: Brian: "Re: [Snort-users] reputation"
Next in thread: Martin Roesch: "[Snort-users] Who's using Snort?"
Reply: Martin Roesch: "Re: [Snort-users] reputation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well, I don't depend on Snort as my only detection technology (gasp!), why
would anyone else? Sure, telling the hackers what you're running can give
them some valuable intel, but only if they're attacking something that's using
the standard config, rules, etc, and only if they happen to hit the segment
that the sensor is on, etc. There are so many variables involved that the
knowledge that an organization is using a specific security technology is not
much of an edge anymore.

Anyway, if I was an attacker I'd always assume that the target was running
Snort and ipfilter/ipchains at least! :) (I'd also be suspicious that any
vulnerable machine I saw could be a honeypot, but maybe I'm just paranoid
after working on all of those technologies over the last five years).

-Marty

Brian wrote:
>
> According to Dr SuSE:
> > I think it would be cool if we created a list of companies and
> > institutions that use Snort, it might help some of us in the future as far
> > as obtaining approval for Snort related projects.
> > I'll start the list with:
> > drsuse.org
>
> Thats not such a hot idea. Security in depth. Don't advertise what
> software you are using. Its great that everyone uses snort. GIAC gets
> more snort logs than anything else.
>
> Why on earth would you publicly announce what you are using to
> protect your network? There are some things that the snort engine
> does not have plug-ins for. With the knowledge of what IDS software
> people use, the attacker knows what he needs to do in order to not
> get caught.
>
> --
> Brian Caswell
> The MITRE Corporation
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users

-- 
Martin Roesch
roeschmd.prestige.net
http://www.snort.org
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
http://lists.sourceforge.net/mailman/listinfo/snort-users

Next message: Dr SuSE: "[Snort-users] Scanning for trojans..sure ya are!"
Previous message: Vitaly McLain: "Re: [Snort-users] CGI Null Byte Attack"
In reply to: Brian: "Re: [Snort-users] reputation"
Next in thread: Martin Roesch: "[Snort-users] Who's using Snort?"
Reply: Martin Roesch: "Re: [Snort-users] reputation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]