Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Technology

Snort up For Revamp, says Creator 148

A reader writes:"The creator of Snort, the open-source network-based Intrusion Detection System (IDS), says the software is up for an overhaul. Martin Roesch has told the AusCERT conference IDS has failed to impress the market, citing the inability of many to minimise the number of false alarms triggered by the monitoring devices. The next iteration will include "passive discovery" features."
This discussion has been archived. No new comments can be posted.

Snort up For Revamp, says Creator

Comments Filter:
  • Worked ok for me (Score:3, Informative)

    by HogynCymraeg ( 624823 ) on Monday May 24, 2004 @11:18AM (#9238729)
    I used snort on an IPCOP [ipcop.org] box. Worked ok for me.
    • Re:Worked ok for me (Score:5, Interesting)

      by justsomebody ( 525308 ) on Monday May 24, 2004 @12:01PM (#9239174) Journal
      It's not the problem with working or not.

      Snort just isn't ready for serious use in enterprise. Sounds silly, but... Too many false positives may very well lock network.

      Here is a simpler case. On Port detectors.
      Why don't port detectors use iptables lock out of port scanners (or even better why it is not suggested).

      Most of port scan detectors count actual SYN,FIN and other blocked TCP blocks which are marked as invalid on your firewall. Not even one of them doesn't take to account that some features are completely valid even though they are not. (here is the case: You're running ftp server, that means port 21 is open, does it really matters if SYN,FIN occurs on that port???) Secondary they don't take to account some stupidity. (You don't really care if one machine has scanned your port XXX (yes, your pr0n port) for 50 times), result was always the same. This should count as 1 and not as 50. With this relatively simple logic port scan detectors would exclude false positives in a very simple way. And you could be sure thatsomeone that scanned 50 ports (different and not public open) is really port scanner.

      Now go to second level. Porscan detector is just one of many functions that snort provides. And even here there's many false positives.

      Actualy I use Snort very differently. Redirected logs to my external processor and this processor excludes invalid information, after that reaction on firewall or server follows. That way was the only possible way to get fairly restrictive measures with not too many false positives.
  • Not funny (Score:4, Insightful)

    by SirChris ( 676927 ) on Monday May 24, 2004 @11:20AM (#9238752) Journal
    not meant as a joke but i think it could also have to do with the psychological fact that Snort just sounds like something you want to distance yourself from. I wouldn't associate myself with a program called mucus-mouth no matter how good it was.
    • by dallask ( 320655 ) <codeninja@gmail.cERDOSom minus math_god> on Monday May 24, 2004 @11:38AM (#9238971) Homepage
      maybe they can rename it "Blow" :)
    • Re:Not funny (Score:5, Insightful)

      by flynt ( 248848 ) on Monday May 24, 2004 @12:19PM (#9239363)
      Martin Roesch has told the AusCERT conference IDS has failed to impress the market,

      He's not saying Snort has failed to impress the market, but rather that in general, all IDS systems have, which is true.
    • by Kaa ( 21510 )
      A sense of humor is a wonderful thing, in case you were wondering...

      And I associate the word "snort" with two things: either a sarcastic disbelieving chuckle, or an angry rhino. Umm... maybe you have something there about wanting to distance myself from... :-)

    • During a recent interview I was asked about my experiences with IDS systems. I joked with the guy interviewing me (also the hiring manager) that I was using Snort on ACID*, and how that wasn't a phrase you should use in the elevator or when around non-geek types. He agreed and laughed.

      Sad part is, I just got the call 5 minutes ago saying that I didn't get the job. :-(

      * (Analysis Console for Intrusion Databases)

    • > I wouldn't associate myself with a program
      > called mucus-mouth no matter how good it was.

      Not even if it sent naked girls to you in your apartment every day?

      Everybody has a tolerance limit...
  • Cool, but effective? (Score:5, Interesting)

    by Allen Zadr ( 767458 ) * <Allen@Zadr.gmail@com> on Monday May 24, 2004 @11:20AM (#9238755) Journal
    From the article:
    "The idea is to take a policy like 'thou shalt not run OS X on the network,' and then if someone with a Mac plugs into our network... it can tell the firewall to [block them],"...

    While this would be cool, the nature of TCP/IP says that it will be quickly defeated. There are already programs out there that will make your Linux box masquerade as another type of computer.

    If a policy says, thou shalt not run P2P - then the P2P will be reached through proxy. If you use snort regular expression detection (one of the coolest features) then new protocols will be written to look like an innocuous service (P2P though ICMP/Ping).

    The worst part, and my buddy Zero Hex [slashdot.org] could talk about this forever, is when ISPs start using this to enforce their will on users. Thou shalt not connect without Windows.

    Basically, it's not likely to enforce policies among those who actively want to get around them. Instead, it will enforce policies that push an agenda.

      • From your link:
        Certain revisions or patchlevels of an operating system may change the stack's behavior and cause it to either not match what's in the fingerprints file or to match another entry altogether.

        The above note does speak to one of the points I made. It's difficult to make this work correctly, and effectively (I use ipf on Solaris, and the OS SYN signatures are not reliable).

    • by Kenja ( 541830 ) on Monday May 24, 2004 @11:27AM (#9238841)
      "If a policy says, thou shalt not run P2P - then the P2P will be reached through proxy. If you use snort regular expression detection (one of the coolest features) then new protocols will be written to look like an innocuous service (P2P though ICMP/Ping)."

      A GOOD firewall will be doing more then just blocking ports. It will analyze packets to determine the type of comunication being used. Which is not to say such things can't be circumvented, but it is much harder then just using a proxy.

      The problem, and what this article is in many ways about, is dealing with false positives when checking for spacific types of network traffic.

      • by wfberg ( 24378 ) on Monday May 24, 2004 @11:57AM (#9239144)
        A GOOD firewall will be doing more then just blocking ports. It will analyze packets to determine the type of comunication being used. Which is not to say such things can't be circumvented, but it is much harder then just using a proxy.

        Not quite. Case in point; try blocking instant messengers on your network. Turns out that if you block specific ports, you'll find that they start using port 80.

        Ok, block any IM content on port 80, and they move to port 443, that's HTTPS, encrypted.

        Ok, so you block some IM server hostnames (there are many) on your DNS server and block access to outside DNS and proxies. Then you find out that there are apps such as htthost/httport [htthost.com] that will happily run on a box outside your network accepting encrypted traffic on the HTTPS port and with HTTPS headers, but that are actually proxies (similar things can be achieved on a linux box with a simple enough shellscript). This works easily enough to be downloaded by your smarter-than-average bear.

        P2P programs could easily go the HTTPS route if blocking becomes enough of a nuisance. They went route 80 (HTTP port) a long while ago.

        So what are your alternatives? Perhaps degrade network performance by interrupting (apparent) HTTPS sessions once in a while so that people won't be able to use certain applications? Or disallow any kind of encrypted communications?

        Creative people will always find a way around it. You're better off dealing with those sorts of threats from the inside by dealing with the people rather than the technology. That's probably also true for outside hackers, script-kiddies and virusauthors, but those you typically don't know.
        • by homer_ca ( 144738 ) on Monday May 24, 2004 @12:10PM (#9239281)
          You make a good point about people vs. technology. In security, policy is as important as firewalls. If IM's are prohibited by company policy and blocked so that advanced measures like httport are required to circumvent your block, you have good cause to reprimand someone found using IM.
          • by Allen Zadr ( 767458 ) * <Allen@Zadr.gmail@com> on Monday May 24, 2004 @12:38PM (#9239531) Journal
            If you know of something that can block MSN Messenger effectively, let me know. It installs as part of windows, and without user intervention, tries very hard to bypass detection and get through to it's home servers.

            I can have a policy - don't install this - don't use this, but most people do anyway just to make that damned message go away. "Wouldn't you like all the benefits of adding a .NET password to XP?". Sure, I can remove it, but the service packs put it back again. I turned it off through the registry, and a security update restored it. MSN Messenger is pervasive, and annoying. No user intervention necessary.

            Back to "smart detection" -- After the first blocked attempt, it talks using standard http then as https (also over the correct ports). I don't want to block any web page that 'could' actually be a web page though.

            • Did you try the "Set Programs Access and Defaults" to disable access to MSN Messenger? If you want to block on the firewall, you can run Messenger through an http proxy and log the hostnames it's trying to reach. I think the hostnames will be unique to Messenger and won't be a web page.
            • Geez just set a GPO to disallow running Msn Messenger and it'll stop bugging them!
            • Try Winblox (wblox) from Liu de Yu (cf. recent Bugtraq posts). If you grok regex, it's easy.
        • Ok, block any IM content on port 80, and they move to port 443, that's HTTPS, encrypted.

          Hold on now, just because something is using port 443, which also happens to be the standard HTTPS doesn't mean that it's automatically encrypted. Both sides of the connection have to be using an agreed upon encryption method. If they IM program was going to jump to port 80 just to run encryption, it could've done it just as easily on port 80. It's probably using 443 because that's the next "most-common" available por
        • It depends on the company and the OS in question as well...

          I know we don't block the firewall for these applications, however, SMS will uninstall them if detected on your PC when you logon.

          That means P2P is out, and IM is out except any of the web based IM such as AIM express etc...

          The application people just have to keep on top of what P2P and IM applications are out there so they can add "definitions" for SMS to look for.

        • wfberg,

          As an aspiring network security professional, I am very impressed with your skills in tracking down traffic that you don't want on your network. I have to ask though, wouldn't it be simpler to have a desktop policy that will take away the users ability to install p2p/IM apps?

          Thanks!
          • As an aspiring network security professional, I am very impressed with your skills in tracking down traffic that you don't want on your network. I have to ask though, wouldn't it be simpler to have a desktop policy that will take away the users ability to install p2p/IM apps?

            Can't use SNORT to do that ;-)

            Seriously though, there are some useful policies you can define for windows desktops if your workstations are hooked up to a domain/active directory.

            Most useful perhaps are the Windows XP (you must use
        • If I was the CTO of a company and I didn't want or was instruct to not let employees use IM programs. I would make very simply rules that blocked the traffic, which would take care of 99% of the non creative people. If I went to the next step of checking for IM content on port 80 I wouldn't block the traffic instead I would log it. After they talked to HR and understood that we didn't want IM on ANY port I imagine they would be uninstalling AIM. If not, I asure you the next time someone else would be d
        • Why isn't IM hit by DCMA or some other US regulations ?

          The apply different techniques to circumvent company firewalls, and whatever else is needed to no comply to company policies. And the suppliers does all they can to make it impossible to block. I.e. placing servers on different subnets where they also place other servers that people needs access to for other reasons.

          I think something should be done to kill this plague.
      • Sure, but gnutella (for instance) is already implimented using a structure that very closely follows the http protocol. So gnutella, across port 80, is very difficult to detect.

        So, even if I get 'smart' detection, how will this better protect me from getting false positives for P2P by users whom are hitting IP dotted addresses to find legitimate web sites.

        Computers can only get so smart, before they become smarter than you are...

        An example I would call on is Word. When I want to misspell a word on purp

        • One leading IPS vendor, Tippingpoint.com, can actually catch a specific protocol across any ports, such as eDonkey, Gnutella, KaZaA, Sharaza.

          University love these IPS products as a form of bandwidth saving measure.

          The unit usually pays for it own cost in form of bandwidth reduction (or avoidance of shelling out $$$ for additional bandwidth) in less than a year (or two).

          Oh, it also blocks those pesky HTTP tunneling proxy that student uses to defeat cheaper and less effective IDS vendors.

          Not to mention bl
    • Basically, it's not likely to enforce policies among those who actively want to get around them.

      You can raise the marginal cost for getting around them really high, to the point where the labor and possibly diminished performance isn't worth the effort.

      We've been demoing a Packeteer 2500 packet shaper, and it's a pretty amazing box. It uses content rules to identify specific protocols (as opposed to content-blind port numbers), which you can then apply bandwidth policies to, including "do not pass".
      • As the post above [slashdot.org] mentions, how effective is this against MSN Messenger? Messenger protocols will gladly talk http or https, and run over standard web ports.

        No MSN messenger is a common policy among companies. I'd be quite interested to see if it's effective, without cutting off web access (false positives).

        • MSN shows up as a distinct protocol in the Packetshaper's monitoring and management screens. They're using layer 7 analysis, it's not just port numbers. In fact, many of the protocols (referred to as traffic classes in Packeteerspeak) don't have a port definition they're dependent on.

          If I define my web proxy as a class and enable class discovery inside this class, I can see all the various classes it handles -- Windows Media Streams, Real Streams, MPEG, Quicktime over http.

          I don't know for sure, but I k
  • by justsomebody ( 525308 ) on Monday May 24, 2004 @11:25AM (#9238812) Journal
    Too many features might really mean to many false alerts (logs or mysql tables can get pretty crowded). But in any case it's usable to detect default signatures of attacks pretty well.

    Should be used? Yes, except some functions should be disabled
    Should be remodeled? Yes

    It has the same flaw as port scan attack detectors.
    • I don't agree with your but but I have a but of my own.

      I don't think the features need to be removed. THey need a system to get them to work together. That is one way to reduce false alarms. If the overall system knows how everything interacts. The monitors that is and it makes the determinations. Then when a problem is found it takes the information, diagnoses the problem and lets you know. It's the level and way it is done.

      I think it needs a revamp. But not in the same way many have thought of.
  • by Keruo ( 771880 ) on Monday May 24, 2004 @11:26AM (#9238818)
    the problem with IDS systems is encrypted traffic
    if someone wants to attack your network, they can easily implement proxy which will encrypt all the traffic they transfer and thus disabling the IDS's ability to analyze the traffic
    • by tkrabec ( 84267 ) * on Monday May 24, 2004 @11:32AM (#9238895) Homepage
      umm no, not completely, in order to attack your network the data has to become unencrypted at some point in time. When it does it becomes traceable and you'd then be able to analyze it. It may be a bit harder and require an IDS box on the inside of the network, too.

      -- Tim
      • it would require host based IDS.. by using network based one you might end up having funny effects,
        like in case of false alarm, the IDS would shut down connections from your net to outside world..
        that would be nasty to debug in a production environment
        • Well, not really. First, as with any IDP sensor, you need to tune it. That is, you run it for a few weeks without blocking traffic, find out what is normal for your network, and then set it to block based on a rule system learned from your tuning. Next, if there is a false alarm, you should set it to not block all traffic from the outside world, just traffic from the host that is causing that alarm, and for whatever default period of time you think is significant (15 min, etc.) If you take your time, a
    • ssldump is a good thing. http://www.rtfm.com/ssldump/
  • by dcgrigsby ( 167583 ) on Monday May 24, 2004 @11:29AM (#9238856)
    Some of what Martin says regarding minimizing false positives by correlating an attack with the correct platform, etc. is already being done by the open source IDS correlation project QuidScore:

    http://quidscor.sourceforge.net/ [sourceforge.net]
  • a way to improve.... (Score:5, Interesting)

    by millahtime ( 710421 ) on Monday May 24, 2004 @11:29AM (#9238861) Homepage Journal
    a way to improve this might be to take principles from the advanced diagnostics industry. There were a lot of false alarm rates with diagnostics for many years but now it is pretty well nailed down. They use some advanced methods to do diagnostics now. From the way monitors are used to the types of algorthyms.

    I know I can't spell. That's why I am an engineer.
    • a way to improve this might be to take principles from the advanced diagnostics industry.

      You wouldn't have a link or two? Maybe I'm dense but; Diagnostics of what exactly? Medical diagnostics? Computer networks? Car problems?

  • by k.panik ( 702186 ) on Monday May 24, 2004 @11:38AM (#9238970)
    "...If the new software detects an Apache server running on Linux, it will only look for attacks relevant to that configuration, instead of monitoring the device for an attack that would affect a Cisco router or Windows server..."

    This have 2 serious drawbacks:

    1. If someone is trying to brute-force attack your servers sending probes for every known exploit (aka. nessus), disabling alarms for software/services you don't run will not show the real size of the attack.

    2. In case of an infection similar to code red you won't be able to know wich infected servers are "attacking" you, so there is no way to block them in the router, firewall or reporting the virus-generated traffic to their ISP.

  • Akamai Mirror (Score:2, Informative)

    by karmatic ( 776420 )
    It's fast, it's friendly, and it's fun!

    Mirror Here [t28.net].
  • Snort Internals (Score:5, Interesting)

    by cerberusss ( 660701 ) on Monday May 24, 2004 @11:41AM (#9239000) Journal
    I analysed the Snort source during my study. It has been some time ago, so I don't know how much of the core code has changed. If anyone's interested, look here [vankuik.nl] and go to chapter 8. Snort ROCKS!

    • Re:Snort Internals (Score:1, Informative)

      by Anonymous Coward
      And yet they don't pick up patches if they are not "cool". I added support for a new DBMS to a previous version, and I submitted the patch. They didn't integrate it, and changed the code so the patch is no longer valid.

      Now people are mailing me directly for patch updates.. I'm not generating anymore since I don't want to keep up with the snort code on their schedule...

      oh well.

      I don't know how the current code is, but the old database code was kinda ugly; sacrificing code clarity for size.. for example yo
  • The idea is to take a policy like 'thou shalt not run OS X on the network,' and then if someone with a Mac plugs into our network... it can tell the firewall to [block them]," he said.

    If this Comes To Pass, all someone will have to do is fire-up snort on you network (custom knoppix cd anyone?) with a policy to not allow any MS products on the network, and *poof*! Instant, internally-generated DOS!
    • Of course, that only works if the attacker has the firewall password/snmp info anyway. And if the attacker has the password in the first place, he won't need snort anyway.

      "But what if he _installs_ a firewal?" If he has access to the cabling, all he has to do is cut it. Perfect internal DoS.

      Besides, if you really want to do that, go grab a copy of FIRE (no, I won't find the URL for you). Give ettercap a go. A couple of ARP packets, and you can take any windows machine off the local network (provided
      • Interesting scenario. I'm not sure how well that would work on a network where damn near every subnet is vlan'd (like the one I'm using at work).

        I'll have to go check out FIRE, sounds fun^H^H^H interesting as well.
    • If this Comes To Pass, all someone will have to do is fire-up snort on you network...Instant, internally-generated DOS!

      You don't really think that the firewall will be configured to accept alerts from any old IDS now do you? Likely if some one were to set this up, it would communicate between the IDS and the firewall (if they aren't the same machine) with encrypted TCP/IP packets using pre-shared keys. Unless you could crack the traffic and thus get the key, what shot do you realistically have to just

  • by Dark Coder ( 66759 ) on Monday May 24, 2004 @11:53AM (#9239106)
    Seems like most everyone needs to get off the IDS fence and go over and sit on the IPS fence.

    For the uninitiated, IPS stands for Intrusion Prevention System. What's the main difference?

    #1) IDS doesn't block bad traffic. IPS does. #2) IPS handles anomaly variants, IDS doesn't.

    IPS is a new technological way of filtering traffic over the simple brain-dead IDS method.

    You need to visit many of Tippingpoint's white papers [tippingpoint.com] to get the grift. (registration req. Just fake your email... I know, this is not an official endorsement, but I used to write IPS filters for them and my working real world experience shows that this IPS filter is more effective than any of Snort's filter.)

    I would love to write more IPS variant-resistant filters for SNORT but I'm afraid to tread on TPTI's handiwork (much less if I step on the same filter). Nonetheless, the defense industry picked me up. Go figure.

    IDS is truly dead. Stop beating a dead horse. Get over it, bud. IPS is your savior.

    • Oooh. Someone (prol'y from the IDS industry) has to be rather sore to hear the word "IDS is dead."

      Cheap shot to modding me down.
    • by Dark Coder ( 66759 ) on Monday May 24, 2004 @12:48PM (#9239623)
      With the IDS technology lagging today, several IPS vendors stepped in with several technological enhancement toward IDS.

      But the key issue confronting the IDS industry today is the lack of functional cohesion (or double-speak for functional capabilities working together).

      Some of the basic building blocks of network-based inline IPS feature set that is needed to work together perfectly are:

      1. Host-OS-based anomaly decision. Both passive and active scan are recommended to be default on.

      2. Deep high-speed REGEX support. Some REGEX chip market didn't materialized as robustly as they should (SafeNet/Raqia)

      3. Large-scale TCP connection tracking. This has to work at high-speed as well. Goes to protect against DoS, unwarranted connections and terminations of a pattern-hits' connection.

      4. Anchored, unanchored and floating pattern match hardware-assist are needed to work together to cover the variety of algorithms set forth today. This would be a current "1000-watt" hardware issue.

      5. Basic issue of quick sub-millisecond table update of content-search memory remains undauntedly elusive. Most H/W content-search engine requires intensive compilation of fancy tr[e|i]e algorithms floating around.

      How about weaning yourself of SNORT and start coalescing these incoherent IDS functional cohesions into an IPS?
    • Bullshit. IPS was a Gartner attempt to generate publicity that even they have disowned.

      Think about this logically: According to gartner, the critical flaw with Intrusion Detection Systems was false positives. The sheer number of false positives generated by IDS system was overwhleming the ability of network admistrators to react.

      Gartner's "solution"??? Intrusion Prevention Systems that would automatically act to block inappropriate behaviour.

      In what way, shape, or form does automatically locking down
      • Forget Gartner's glibs.

        How come TPTI doesn't generate false positives (never once did I see one during my Petabit testing tenure there and that is a fact; but the real mask behind the truth is I was testing for solid leads filter, not shaky vacuous filters that TPTI customer still wants, but these shaky filters are not of real values that predominately plague SNORT).

        Locking down Network Resources with a sledgehammer is not the answer, controlling them with a surgeon's knife is.

        Apparently, they have somet
      • I wish I had mod points. This sort of thing was mentioned by the instructor at the SANS conference I just attended last week. I think his exact words were something like, "IPS might be nice, but I guarentee there would be ways to game the system".

        To me the biggest problem with Snort right now is the lack of a good client. You can install ACID or any other number of log analyzers of course, but why wouldn't the Snort people themselves want to offer a nice client interface of some kind? Not a trivial task
      • IPS was a Gartner attempt to generate publicity that even they have disowned.

        Disowned? Sure, that's why the Gartner group will no longer be publishing an IDS Magic Quadrant (they're replacing it with an IPS one). Publicity stunt? That's why enterprise customers are flocking to IPS in droves, and former IDS vendors everywhere are frantically trying to play catch-up with those that have been doing prevention from day one (ie the previously referenced TippingPoint).
        It only took a quick walk through thi

        • Come to think of this, the famed CISSP certification is worthless with regard toward this new IPS arena...

          Even the SANS GAIC [giac.org] GCIA (Intrusion Analyst) certification is try to evolve to meet this new IPS technology, but until TPTI releases the ability to let end-user customized filters, the certification would be essentially worthless. Just too many IPS technological-curves for the ordinary IA guys to keep up. Really!

          It is tantamount to handing the wheel to a Formula 500 car over to a 15 1/2 year old t

    • A cut -n- paste job from a previous post. Sorry, but I am too lazy to rewrite the thing.

      My personal opinion is IPS's have been mislabeled since the beginning (aren't marketers wonderful). Take this definition I found in some Usenet archives [google.com] (circa 1992):

      "a combination of a security policy with some of the components
      above. Specifically, an implementation of the given policy that
      is enforced by a combination of screening and/or routing." [1]

      Geeze, seems like IPS would fit right in there. Now the
      • Bammkkkk,

        IDS and FW has already tied for 2004 Darwinism Award for not applying the Moore's Law consistently toward themselves. They simply fell off the chart and has not been able to hold a lighted candle toward IPS.

        TPTI cooked and delivered IPS in 2001-2002. (You say IDS vendors gathered in just in 2003, sheesh... no wonder, its a response to the surprise evolutionary newcomer, IPS)

        IDS and Layer 4-7 Firewall deftly merged together along with many more HW-based analysis algorithms to become a true inli
      • To those expert Intrusion Analysts (particularly those with GAIC GCIA certifications), it is possible to attain near-zero false-positives.

        One CTO at a well-know Maryland-based HIDS company stated to me personally that it is impossible to attain 0% false-positives. I agreed totally on this point BUT...

        Would the customer settled for something like one minus dot 9 nines? (0.0000001%)?

        Bammkkkk said:

        The vendor noticing the agnst in his customer's voice replies with "we are working on ways to reduce 'fal

        • You seem to be missing the point. It isn't about whether I think IPS is good/bad. I honestly think it's great. My point is that IPS doesn't replace an IDS. I feel you still need IDS. There are three components of Network Defense:

          Protection, Monitoring, and Response

          FWs/IPS/etc fall into Protection
          NIDS/HIDS/etc are in the Monitoring category

          I don't believe any protection (including IPS) will ever be 100% and therefore you better be implementing monitoring and response at some level. When I think IDS, I th
      • The idea of IPS is to largely minimizing the Network Security Monitoring aspect and the bloated payrolls for those CISSP (and sorry, GAIC GCIA) guys.

        Blocking would-be successful attack is the paramount goal of a basic first-generation IPS. An admin won't even get paged for these events (and along a whole lot of other false-alarm and much less false-positive events, but in the rare case that they are feeling idle, they can even turn that pager-feature on). Why bothered, IPS did its job.

        TPTI does capture
        • Sorry, why didn't you say that this was an I_P_S (Instant Protection System)? Guaranteed to stop 100% of all attacks. I didn't realize that by putting an I_P_S on my network, that no longer would I need to patch any of my systems, audit them for vunlerabilities, etc. Long live service pack 1! Woooo hoooo! No more worrying about systems running legacy applications that can't be upgraded! Users getting trojan via instant messanging applications? Not a problem! I can't wait to tell the board. Risk? We have no
          • Bammkkkk,

            Ok, ok... I'll suck it up. I, personally, wouldn't go without monitoring myself either.

            So, I do agree with you wholely on all your points.

            Could you at least agree that prevention is the forefront cornerstone of all defense mechanism?

            After all, prevention is a frequent dictum in the "Arts of War."
  • by VAXGeek ( 3443 ) on Monday May 24, 2004 @11:57AM (#9239143) Homepage
    I use Snort all the time. The only thing I really get false positives for in great numbers are portscans, but even that is easily tweakable in the config file. I'd rather see one too many security alerts than one too few.
  • by Afroplex ( 243562 ) on Monday May 24, 2004 @12:01PM (#9239178) Homepage
    Roesch works within Sourcefire (which puts a lot of development into Snort) as their lead engineer. I've talked with him over a teleconference call and I got the feeling that he loves working with the technology and tries to avoid the sales side of business. Also discussed during the conference call was exactly what this article pertains to.

    If Sourcefire's engineering puts out something like this and not their sales reps, then this is really close to being reality. Take a look at Sourcefire's website, you'll see something called RNA. RNA can do passive monitoring of a network and find what machines do what, and what they are running. I've worked with RNA on a production network - it does as advertised very well and even determines patch levels of some machines just by sniffing network traffic. It doesn't take a rocket scientist to put 2-and-2 together that Snort and RNA are on a collision course to work together considering they are from the same company. I would expect something before the end of the year.

    RNA though isn't open source, so I'm curious to this announcement if the underlying engine to that product will eventually be opened up.
    • See RNA description [sourcefire.com] for more details. A similar passive sniffer product is Tenable Security's NeVO [tenablesecurity.com].

      These kinds of products seem a good way of finding out what software is really on your network. They can look at banners as well as p0f-style [coredump.cx] operating system versions. And hence deduce whether you have applied all the patches.

      Smaller organisations with good control on software versions might find them overkill and just use arpwatch or DHCP logs instead.

      I don't think they will eliminate the need for acti

  • by phoxix ( 161744 ) on Monday May 24, 2004 @12:07PM (#9239233)
    The OSS app known as Hank [sourceforge.net] was pretty much written as a reponse to the short-comings of Snort.

    It supports XML based network rules, and has really advanced things like an ACBM implementation [silicondefense.com]

    Sunny Dubey
  • by Helevius ( 456392 ) on Monday May 24, 2004 @12:13PM (#9239296) Homepage
    The problem with IDS is not false positives. The problem is knowing what to do with an alert once it appears. If you don't have enough information to make sense of the alert, why bother triggering it in the first place?

    Most IDS vendors focus on ever more accurate alerts, but once they trigger they wash their hands of the problem. The end user must decide if the alert is truly significant to their situation and priorities. It's like having an anti-virus product cry wolf but never give any reasons for its identification of malware or background on its findings.

    An alternative to the "alert-centric" point of view is "Network Security Monitoring," which concentrates on giving analysts information to conduct at least rudimentary network-based investigation. Where most IDS care only about alerts, NSM-centric operations combine alert, session, full-content, and statistical data to give analysts a chance to identify and escalate incidents.

    A tool which uses Snort to generate alert data, combined with session and full content data from other sources, is Sguil [sourceforge.net].

    The April 2004 Sys Admin [samag.com] magazine features Sguil and a few other NSM tools.

    A book due in July, The Tao of Network Security Monitoring [taosecurity.com] (also at Amazon.com [amazon.com]) is all about NSM.

    Anything vendors can do, like Sourcefire's work with Snort, helps with more accurate identification. Just remember creating alerts is only the first step.

    All of the IPS fans out there should remember that their "prevention" depends on correctly identifying intrusions. All IDS and IPS products can be bypassed, which drives the need for audit-centric tools (especially using session data) which are content neutral and don't care about triggers, encryption, and so on.

    Helevius

    • NSM is the sagging NIDS/HIDS vendors' response to the IPS-industry and I predict this will largely fail to attain their goal as the various NSM books are outdated already. This is why...

      There is Prevention, Monitoring and Response in that order. Each stage incurs a tremendous cost-fold as an event progresses each stage. Nip this at the bud where is should be and that is Prevention.

      NIPS products are not easily bypassed compared to their heathen-breathen (IDS, NSM, FW) due to their in-line "bump-in-the

  • No lie they are making shirts that say this
    "From the Guys that brought you snort now bring you speed"

  • Distributors (Score:3, Insightful)

    by Gothmolly ( 148874 ) on Monday May 24, 2004 @12:36PM (#9239517)
    Could this revamp be due to pressure from companies which have built commercial offerings on Snort? Guardent's SDA tool [guardent.com] is basically a Snort box, x86 linux on commodity hardware. How many other money-making ventures out there depend on Snort, and what influence do they have over the Marty?
  • by xmas2003 ( 739875 ) on Monday May 24, 2004 @12:45PM (#9239592) Homepage
    The false positive problem also affects log analysis programs ... although argueably, it's more a matter of how you use and tune it. I.e. most people expect to install Swatch [sourceforge.net] (or other log scraper) and have it just "work outa the box" ... but in reality, you have to understand what is "normal" in your network and then tune out the false positives accordingly. Same things with network IDS tools such as Snort (MartyR is one smart dude BTW) ... although I "cheated" in that comparision because log scrapers are argueably host-based IDS's! ;-)

    If you are interested, read more about how Swatch and syslog [komar.org] are used in a large production environment.

  • Network Nazis!!! (Score:1, Interesting)

    by Anonymous Coward
    "The idea is to take a policy like 'thou shalt not run OS X on the network,' and then if someone with a Mac plugs into our network... it can tell the firewall to [block them],"
  • general IDS probs (Score:4, Interesting)

    by graf0z ( 464763 ) on Monday May 24, 2004 @12:49PM (#9239629)
    Network IDS have to fight several problems:
    • false positives: if this problem does not get solved, IDS won't work on larger sites. One solution could - maybe - be the interaction of an network IDS with a vulnerability scanner (eg packetalarm [packetalarm.com] which combines snort with nessus or the above mentioned quidscor) Roesch indicated. Smart attacks try to hide the actual exploit inside the intentional white noise of false positives.
    • false positives.
    • false positives.
    • encrypted traffic: if an ipsec roadwarrior attacks a service or an attacker targets the https-port of a webserver (not using detectable openssl-overflows :-), the IDS sensor has to sit between encryption endpoint and the target. That means that You may have to terminate https with stunnel at your IDS-sensor one hop in front of your apache instead of using mod_ssl ... And how do You detect malicious content in gpg-encrypted mails?
    • "protocol tunneling" or "firewall piercing": how do You detect an trojan inside a corrupted internal workstation calling home through harmlessly looking traffic like http (or even https)? It could craft the http-requests to be indistinguishable from real user traffic (using same proxy and proxy-credentials as the user if nesseccary).
    • everyday a new way of obfuscating exploits. Modern IDS know tcp-segment-reassembly, ip-fragment-reassembly, hundred ways of quoting and encoding (like unicode), but it's hard to catch up hackers creativity.
    • polymorphic attacks: we've already seen polymorphic shellcode. There will be polymorphic attacks as well. Your IDS engine will have to be much smarter than matching regex to detect those!
    • hand crafted variations of known exploits: there are open source exploits which can be modified such that the according snort rules does not strike any more.
    • there are myriads of exploitable cgi/php/.. scripts: once coded by a poor student or - worse - a webdesigner, never updated, not publicly known. The chance is not too bad for an experienced hacker to construct a never-seen-before exploit against some ancient webshop. If he avoids the well known evidences (like typing "id" into an unencrypted bindshell) the IDS won't scream.

    I fear that when attackers learn to make heavy use of triggering massive false positives, crypto & steanography, protocol-tunneling and start to build exploit-engines producing polymorphic code the days of pattern matching IDS are count. Maybe anomaly-detection (using statistics or neural networks) will help.

    Just my 2ct. /graf0z

  • sneeze? (Score:2, Informative)

    by krappie ( 172561 )
    Haha. I wonder if this whole thing has ANYTHING to do with this?

    http://www.phrack.org/unoffical/p62/p62-0x0d.txt [phrack.org]
  • I like the idea of Sourcefire's RNA product ("Realtime Network Awareness"). The idea is that it will use passive os fingerprinting to find out what's out there, and tap a database of vulnerabilities to see if there's a serious problem.

    But I want the other alerts - the cmd.exe attempts on Apache servers, etc. - as correlation for the other alerts. I agree there's a huge value in separating the stuff that's merely for correlating with the serious alerts.

    You can set an alert level = harmless just to get th
  • by Omega1045 ( 584264 ) on Monday May 24, 2004 @01:52PM (#9240193)
    I haven't used Snort for a while. We used it at a little ISP I worked at to protect various parts of our network. If I recall we were running Snort on some small linux build like trinix. We had old desktop machines running snort with rulesets that were mean for each segment i.e. the Snort box sitting on front of our NT machine was watching for NT attacks, etc. I never recall having performance issues; Snort was very fast even on old machines.

    We ended up putting together a little access db that we could generate rules for snort based on critieria like port, os, etc. Eventually we turned this into the first Snort rules site snort.rapidnet.com which is now down. I would imagine that any problems someone might have with Snort (or other IDS) is the correct config for a given scenario or situation.

    You have to give props to guys like Marty who make a really great, free product that the little guys can use to conduct homegrown (not homeland) security.

  • by greyfeld ( 521548 ) on Monday May 24, 2004 @01:52PM (#9240200) Journal
    The real problem with Snort, and this is coming from someone that has administrated Snort systems in two major companies, is management's lack of understanding that it takes labor to maintain these systems. They want something that they can just pay for up front and will work with no additional tuning or labor costs.

    This is the true failing of Snort and other IDS systems as well. They require labor to tune the ruleset and configuration to a network. They require constant updates and someone that can create signatures on the fly. They require someone that has a knowledge of TCP/IP protocols, routing, networking and the ability to analyze data and follow leads.

    Working with Snort is kind of like being a detective. The alerts are clues and you have to dig through a lot of other logs, traceroutes, whois, calling people on the phone and find out what they are doing, etc. It's all labor intensive and no one in management wants to dedicate the resources necessary to make it really work.

    I could spend all day working on Snort, but I have to monitor firewalls, email, viruses, go to meetings, train people and type on slashdot once in a while. And IPS is no different, it is not something you can just put in and leave forever and feel safe.

    Management needs to realize they need people on site to deal with the New World Order of constant hacking attempts. IDS admins are jobs needing to be filled, that's why Snort is not living up to the "promise". Management somehow twisted the promise of Intrusion Detection into some automaticlly, always upgraded intrusion prevention system that requires no labor, no upkeep and you never have to spend any more on it. They continue to live in a fantasy world and one day will end up hacked even though they got a raise for cutting their security budgets by 25% for the year.
    • Exactly.

      This perhaps could also be expressed by the old adage (possibly from Bruce Schneier?) that security is neither a product nor a state but a process.

    • Son, we live in a world that has walls, and those walls have to be guarded by men with software. Whose gonna do it? You? You, HR? I have more responsibility here than you could possibly fathom. You weep for payroll, and you curse the admins. You have that luxury. You have the luxury of not knowing what I know. That the cost of manpower, while costly, probably saved money. And that my existence, while grotesque and incomprehensible to you, saves money. I know deep down in places you dont talk about at partie
  • weird? (Score:2, Insightful)

    by Anonymous Coward
    whinge, whinge,

    * too many false positives, then tune your sensors - but then again _YOU_ will have to know and understand your network and its traffic.

    * requires too much time/labor/knowledge to use/setup/maintain - since when did the security industry stay static, or more likely since when did the otherside put their feet up and say, "enough is enough", we have created enough virii/worms/ddos apps/exploits...

    LOL, 'greyfeld' had it right in the last paragraph. Spend some money on Security you tight-fist
  • In the future, please refrain from beginning article titles with the words "snort up". Where I come from, they call that "the old bait & switch".
  • Snort up For Revamp, says Creator

    Well shit. If GOD is telling us to do it, how can we possibly condone laws against it?

    Snort up for revamp? Hell, I snort up for breakfast.
  • ... I've snorted up Mr Creator, where's my revamp? Let's do lunch!
  • by martyroesch ( 589524 ) on Monday May 24, 2004 @09:21PM (#9243934) Homepage
    The article missed a few key points so I'll try to set the record straight here.

    First off, my presentation was about making the case for Passive Network Discovery Systems (PNDS), a "new" technology that I created over at Sourcefire [sourcefire.com]. The basic idea of a PNDS is to discover the composition and topology of your network via a mix of passive OS fingerprinting and passive application layer protocol discovery and the other information that you can infer from that data, such as network topology and asset vulnerabilities. I sought to show how that technology could improve a variety of network security technologies by using the example of how Snort (and other IDS) works today and how it could be improved by integrating the information that comes from a PNDS.

    Sourcefire has developed a product called RNA [sourcefire.com] that performs the PNDS functions that I outlined during my talk. Note that it is a proprietary technology that we developed commercially and it is a completely separate product from Snort or the Sourcefire IDS sensors. We are not going to be integrating the functionality of RNA into Snort, we're going to be modifying Snort to take advantage of the information that a system like RNA can generate. In the best case scenario, RNA has a very different deployment profile than an IDS.

    I said that IDS has had trouble in the market because of its complexity and the requirement that users perform extensive tuning of IDSes in general in order to get maximum benefit from them. There are a lot of things that factor into this problem, but the root cause of almost all IDS problems today is that we don't have automated methods for provisioning them nor do we have effective methods of data reduction available that are automated, persistent and real-time. PNDS addresses that problem head on in a way that is appropriate for real-time processes like IDS in ways that traditional scanning technologies have a very tough time providing.

    I then went on to say that we're planning on making changes to Snort to enable it to leverage the information that a system like RNA provides and make it into a true target-based IDS [theaimsgroup.com], redefining how IDS operates and hopefully revitalizing it as a technology. Snort will still be available for free and will still operate in "classic" mode where it doesn't leverage this info for people who don't have passive discovery technologies (or even active ones) so that they can still continue to use it.

    Snort is not going to be doing the configuration policy enforcement (i.e. the "block OS X on my network" function), RNA is. RNA is capable of seeing devices on the network and discovering their attributes in real-time and communicating that data to our management console where it can be analyzed for policy compliance and where appropriate remediation responses can be executed. Not to get too deep into the marketing, but there are good engineering reasons for wanting to do this that include worm/virus containment, real-time IDS policy updates and some other really useful mechanisms for performing policy enforcement.

    We're making mods to Snort because we believe that we can make a truly next-generation IDS capability that is easier to deploy, manage and get valuable information out of due to the effect of RNA. This approach directly addresses all the arguments of the "IDS is dead" crowd while at the same time making IDS a much more impactful technology while greatly reducing the overhead requirements on users.

    I hope this clears things up for people!

  • One more thing (Score:4, Informative)

    by martyroesch ( 589524 ) on Monday May 24, 2004 @09:41PM (#9244059) Homepage
    IDS != IPS, IPS !>= IDS.

    Once again, with feeling:
    IDS is a network monitoring technology

    IPS is anaccess control technology

    We use IDS to let us know what's happening on our networks, how our policy is being enforced by our access control mechanisms and when there are security failures.

    We use IPS to "shoot down" attacks that are in flight before they can complete and affect the target.

    Confusing the two is the name of the game for IPS vendors because the FW vendors have deep pockets and the IPS guys didn't want to rock the boat at first. In-line network IPS is only useful as long as you have time to provision new detection signatures before attacks/worms come out, they are deterministic and therefore have a very tough time dealing with the unknown (and yes, I know they have the ability to do rate-based blocking in some cases, that's deterministic too). The natural progression for IPS technology is as a feature on a firewall, not as a stand alone independent product, it's just an enhancement to access control technology after all. The natural progression of IDS will remain as a stand alone product or perhaps it will disappear into the infrastructure of the network itself (e.g. switches), but it is going to be a necessity as long as people need to have visibility into what's happening outside the purview of their access control technologies. In-line network IPS only watches/defends your peering points, NIDS monitors everything if deployed properly.

    To claim that IDS is "dead" is to basically say that people should put on blinders and only watch the peering points, not a very realistic proposition in my opinion. IPS is not a replacement for IDS, those who say so either don't understand the role of IDS or they're selling something.

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...