Future Of IDS

A reader wrote to us about a summary article regarding IDS ^? . This is an interesting article in so far as it attempts to prognosticate what the future will be for detection, and that draws in some interesting work on security modelling. T: Readers may also want to see this vnunet article on IDS products -- guess what comes out on top?

But when is Snort going to get good sigs?

[adturner]

I'm sure i'm going to get mod'd down or marked flamebait for this, but here it goes...

Has anyone ever bothered to actually READ the Snort signatures? I actually spent quite a few hours going over them and found a number of things:

1) Massive false postives. Almost all of the HTTP signatures only look for a request to a vulnerable CGI/ASP/etc, not for the actual exploit. This means perfectly normal/valid requests generate alerts.

2) Many sigs are easy to avoid. For HTTP sigs that actually try to look for the exploit it's generally a matter of putting a fake &var=value between the ? and the exploited param since Snort can only do simple string matching.

3) Many sigs are just plain stupid. I love the one that looks for the string "I love you" everywhere in all SMTP traffic. Heaven forbid someone at your company email their wife/husband/etc.

4) There's a number of sigs that have hard-coded strings for specific BROKEN exploits. Basically, they'll detect the broken exploit, which will catch the scriptkiddies, but anyone with half a brain who fixed the exploit won't be detected.

Unforunately, tuning the IDS (turning off signatures) isn't a valid means of reducing false positives since it makes you completely blind to the attack. Which means you either get deluged with alerts or miss legitimate threats to your network.

Honestly, I got so fed up with Snort and wasting my time with it, that I finally decided to get rid of it and spend the saved time being more proactive in securing my systems.