RE: Protocol Anomaly Detection IDS

From: Sonit Jain (sonit@gajshield.com)
Date: 02/12/03

  • Next message: Rodrigo Buarque Ramos: "Triangulating packets" 
    From: "Sonit Jain" <sonit@gajshield.com>
To: "'Frank Knobbe'" <fknobbe@knobbeits.com>, <focus-ids@securityfocus.com>
Date: Wed, 12 Feb 2003 15:40:36 +0530

    Hi,
            Has anyone actually got snort to detect protocol misuse for
            HTTP,FTP or SMTP i.e. ensuring that packets to these protocols
            adhere to the RFCs. I tried to find rule sets to detect protocol misuse,
    but
            was not able to do so. Any pointers will definitely help.

    Thanks,
    Sonit Jain

    -----Original Message-----
    From: Frank Knobbe [mailto:fknobbe@knobbeits.com]
    Sent: Wednesday, February 12, 2003 1:47 AM
    To: focus-ids@securityfocus.com
    Cc: slyph@alum.mit.edu; Martin Roesch
    Subject: Re: Protocol Anomaly Detection IDS

    On Mon, 2003-02-10 at 20:04, Martin Roesch wrote:
    > Just as an FYI, Snort can do protocol anomaly detection, through it's
    > rules-based engine, it's decoder and in its preprocessors. Protocol
    > anomalies mean different things to different people, of course, so it
    > depends on what you're really looking for.
    >
    > People commonly think of Snort as a "signature based" IDS only, it's
    > actually capable of a lot more than that...

    In addition, besides signatures and protocol anomaly, Snort can also be
    used as a behavioral IDS. I have a habit of stressing the fact that
    after a Snort install/setup in your network, one should strive to craft
    additional Snort rules that define abnormal traffic, such as a web
    server establishing connections to the outside, etc. Snort is very
    capable of detecting abnormal traffic that way, and through it's
    detailed logging can give you clues to what's going on).

    Case in point: Just the other day, an engineer of a network vendor set
    up a laptop on the perimeter of a company to do some maintenance, and
    left the laptop hooked up overnight. Unfortunately, it was running an
    anonymous-writable FTP server. Companys signature based IDS didn't
    complain, but company's statistical IDS alerted to an FTP server which
    wasn't of much concern to the company since they knew that this IP was
    used by that laptop. Our Snort based appliance however picked up on the
    fact that there was a) an abnormal, rogue FTP present, and b) that that
    laptop was receiving parts of a Harry Potter movie in AVI form :)
    indicating an unsecure system (which our test confirmed).

    So, Snort is not just a signature and anomaly based IDS, it is also a
    behavioral IDS.

    Regards,
    Frank

    Relevant Pages

    • Re: Value of "richer" signatures?
      ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
      (Focus-IDS)
    • Re: Protocol Anomaly Detection IDS
      ... understand how Snort works. ... > Subject: Re: Protocol Anomaly Detection IDS ... Enterprise-class Intrusion detection built on Snort ...
      (Focus-IDS)
    • Re: ids inquisition
      ... Subject: ids inquisition ... Snort isn't one of them. ... Brian Caswell - CSV output plugin, ... Christian Lademann - active response, ...
      (Focus-IDS)
    • RE: IDS recommendations
      ... Subject: IDS recommendations ... Snort is a relatively raw tool and that usually adds ... >> I can appreciate your comments on the ISS product. ...
      (Focus-IDS)
    • RE: "Free" IDS
      ... I am very surprised noone mentioned Demarc PureSecure IDS solution. ... It cost less than 2000.00 and it runs off of the snort engine and has a big ... if you want to learn snort then just read up on it. ...
      (Focus-IDS)