Re: RE: IDS bakeoff - help!
From: n3m3s1s@hushmail.comDate: 01/17/02
- Previous message: dr.kaos: "Re: Newbie IDS questions"
- Maybe in reply to: Higgins, Chris AG:EX: "RE: IDS bakeoff - help!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: n3m3s1s@hushmail.com To: "Higgins, Chris AG:EX" <Chris.Higgins@gems2.gov.bc.ca> Date: Thu, 17 Jan 2002 08:21:51 -0800
-----BEGIN PGP SIGNED MESSAGE-----
>From what I can see by the snort.conf file, you seem to be missing a large
>number of the rules files from the current ruleset. I don't know if this was
>deliberate but this may be what is causing the difference in your observed
>outputs from the various IDS's.
It was definitely deliberate. For the last couple of tests that I did, I reduced the rules to only include web rules thinking that less compares would mean better performance. So when I did my grep through the snort.conf, the rules that I had been using on earlier tests were commented out. I was still getting Unicode Directory Traversal alerts, but nothing for IIS cmd.exe which is in the web-iis.rules file which was being loaded.
That is the real thrust of my question: is snort not comparing against the signatures because it can't handle the traffic? It appears to me that the preprocessors are alerting, but rules are not. Would too much traffic cause this? Or am I doing somethign wrong?
Norman
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com
wlwEARECABwFAjxG/ToVHG4zbTNzMXNAaHVzaG1haWwuY29tAAoJEFhAkA76am0fUD0A
nRp12qkpm1kR9SkFedC9/inci9oDAJ9+O+kldrAHadAfxcQpJDJB4lFgnA==
=oRpM
-----END PGP SIGNATURE-----
- Previous message: dr.kaos: "Re: Newbie IDS questions"
- Maybe in reply to: Higgins, Chris AG:EX: "RE: IDS bakeoff - help!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
