Slashdot Mirror

← Back to Stories (view on slashdot.org)

Snort up For Revamp, says Creator

Posted by Hemos on from the keeping-up-with-the-times dept.

A reader writes:"The creator of Snort, the open-source network-based Intrusion Detection System (IDS), says the software is up for an overhaul. Martin Roesch has told the AusCERT conference IDS has failed to impress the market, citing the inability of many to minimise the number of false alarms triggered by the monitoring devices. The next iteration will include "passive discovery" features."

15 of 148 comments (clear)

  1. Worked ok for me by HogynCymraeg · · Score: 3, Informative

    I used snort on an IPCOP box. Worked ok for me.

  2. been done by Triumph+The+Insult+C · · Score: 4, Informative

    http://cvs.openbsd.org/faq/pf/filter.html#osfp

    --
    vodka, straight up, thank you!
  3. Open Source IDS Correlation by dcgrigsby · · Score: 5, Informative

    Some of what Martin says regarding minimizing false positives by correlating an attack with the correct platform, etc. is already being done by the open source IDS correlation project QuidScore:

    http://quidscor.sourceforge.net/

    1. Re:Open Source IDS Correlation by _dl_ · · Score: 2, Informative

      Well, you can still download the source and adapt the concept to use another vulnerability assesment tool, not just Qualys'.

      Or in general, this shows that there are ways to enhance both tools efficiency by combining them.

      ps: I was the lead on Quidscor, so yes, I'm biased :-)

  4. Akamai Mirror by karmatic · · Score: 2, Informative

    It's fast, it's friendly, and it's fun!

    Mirror Here.

  5. Intrusion Prevention System is the key by Dark+Coder · · Score: 4, Informative
    Seems like most everyone needs to get off the IDS fence and go over and sit on the IPS fence.

    For the uninitiated, IPS stands for Intrusion Prevention System. What's the main difference?

    #1) IDS doesn't block bad traffic. IPS does. #2) IPS handles anomaly variants, IDS doesn't.

    IPS is a new technological way of filtering traffic over the simple brain-dead IDS method.

    You need to visit many of Tippingpoint's white papers to get the grift. (registration req. Just fake your email... I know, this is not an official endorsement, but I used to write IPS filters for them and my working real world experience shows that this IPS filter is more effective than any of Snort's filter.)

    I would love to write more IPS variant-resistant filters for SNORT but I'm afraid to tread on TPTI's handiwork (much less if I step on the same filter). Nonetheless, the defense industry picked me up. Go figure.

    IDS is truly dead. Stop beating a dead horse. Get over it, bud. IPS is your savior.

  6. Hank: the response to snort by phoxix · · Score: 4, Informative

    The OSS app known as Hank was pretty much written as a reponse to the short-comings of Snort.

    It supports XML based network rules, and has really advanced things like an ACBM implementation

    Sunny Dubey

  7. Re:Cool, but effective? by homer_ca · · Score: 5, Informative

    You make a good point about people vs. technology. In security, policy is as important as firewalls. If IM's are prohibited by company policy and blocked so that advanced measures like httport are required to circumvent your block, you have good cause to reprimand someone found using IM.

  8. Re:Man bites dog. by dilettante · · Score: 2, Informative
    I work on an Air Force-funded project for disseminating tactical intelligence info. The IDS that this system uses: Snort.

    Then again, maybe the government doesn't have enough money for the better-quality commercial IDS.

  9. Re:Cool, but effective? by rograndom · · Score: 2, Informative

    Ok, block any IM content on port 80, and they move to port 443, that's HTTPS, encrypted.

    Hold on now, just because something is using port 443, which also happens to be the standard HTTPS doesn't mean that it's automatically encrypted. Both sides of the connection have to be using an agreed upon encryption method. If they IM program was going to jump to port 80 just to run encryption, it could've done it just as easily on port 80. It's probably using 443 because that's the next "most-common" available port since port 80 was blocked.

    --

    Stupid Cheap Guitars
  10. Re:Snort Internals by Anonymous Coward · · Score: 1, Informative

    And yet they don't pick up patches if they are not "cool". I added support for a new DBMS to a previous version, and I submitted the patch. They didn't integrate it, and changed the code so the patch is no longer valid.

    Now people are mailing me directly for patch updates.. I'm not generating anymore since I don't want to keep up with the snort code on their schedule...

    oh well.

    I don't know how the current code is, but the old database code was kinda ugly; sacrificing code clarity for size.. for example you could support ODBC _or_ MSSQL but not both. ODBC + MSSQL didn't work... that is because they had an ifdef ODBC and ifdef MSSQL which were mutually exclusive.

  11. sneeze? by krappie · · Score: 1, Informative

    Haha. I wonder if this whole thing has ANYTHING to do with this?

    http://www.phrack.org/unoffical/p62/p62-0x0d.txt

  12. Re:Cool, but effective? by Aliencow · · Score: 2, Informative

    Geez just set a GPO to disallow running Msn Messenger and it'll stop bugging them!

  13. Setting the record straight by martyroesch · · Score: 4, Informative
    The article missed a few key points so I'll try to set the record straight here.

    First off, my presentation was about making the case for Passive Network Discovery Systems (PNDS), a "new" technology that I created over at Sourcefire. The basic idea of a PNDS is to discover the composition and topology of your network via a mix of passive OS fingerprinting and passive application layer protocol discovery and the other information that you can infer from that data, such as network topology and asset vulnerabilities. I sought to show how that technology could improve a variety of network security technologies by using the example of how Snort (and other IDS) works today and how it could be improved by integrating the information that comes from a PNDS.

    Sourcefire has developed a product called RNA that performs the PNDS functions that I outlined during my talk. Note that it is a proprietary technology that we developed commercially and it is a completely separate product from Snort or the Sourcefire IDS sensors. We are not going to be integrating the functionality of RNA into Snort, we're going to be modifying Snort to take advantage of the information that a system like RNA can generate. In the best case scenario, RNA has a very different deployment profile than an IDS.

    I said that IDS has had trouble in the market because of its complexity and the requirement that users perform extensive tuning of IDSes in general in order to get maximum benefit from them. There are a lot of things that factor into this problem, but the root cause of almost all IDS problems today is that we don't have automated methods for provisioning them nor do we have effective methods of data reduction available that are automated, persistent and real-time. PNDS addresses that problem head on in a way that is appropriate for real-time processes like IDS in ways that traditional scanning technologies have a very tough time providing.

    I then went on to say that we're planning on making changes to Snort to enable it to leverage the information that a system like RNA provides and make it into a true target-based IDS, redefining how IDS operates and hopefully revitalizing it as a technology. Snort will still be available for free and will still operate in "classic" mode where it doesn't leverage this info for people who don't have passive discovery technologies (or even active ones) so that they can still continue to use it.

    Snort is not going to be doing the configuration policy enforcement (i.e. the "block OS X on my network" function), RNA is. RNA is capable of seeing devices on the network and discovering their attributes in real-time and communicating that data to our management console where it can be analyzed for policy compliance and where appropriate remediation responses can be executed. Not to get too deep into the marketing, but there are good engineering reasons for wanting to do this that include worm/virus containment, real-time IDS policy updates and some other really useful mechanisms for performing policy enforcement.

    We're making mods to Snort because we believe that we can make a truly next-generation IDS capability that is easier to deploy, manage and get valuable information out of due to the effect of RNA. This approach directly addresses all the arguments of the "IDS is dead" crowd while at the same time making IDS a much more impactful technology while greatly reducing the overhead requirements on users.

    I hope this clears things up for people!

  14. One more thing by martyroesch · · Score: 4, Informative
    IDS != IPS, IPS !>= IDS.

    Once again, with feeling:
    IDS is a network monitoring technology

    IPS is anaccess control technology

    We use IDS to let us know what's happening on our networks, how our policy is being enforced by our access control mechanisms and when there are security failures.

    We use IPS to "shoot down" attacks that are in flight before they can complete and affect the target.

    Confusing the two is the name of the game for IPS vendors because the FW vendors have deep pockets and the IPS guys didn't want to rock the boat at first. In-line network IPS is only useful as long as you have time to provision new detection signatures before attacks/worms come out, they are deterministic and therefore have a very tough time dealing with the unknown (and yes, I know they have the ability to do rate-based blocking in some cases, that's deterministic too). The natural progression for IPS technology is as a feature on a firewall, not as a stand alone independent product, it's just an enhancement to access control technology after all. The natural progression of IDS will remain as a stand alone product or perhaps it will disappear into the infrastructure of the network itself (e.g. switches), but it is going to be a necessity as long as people need to have visibility into what's happening outside the purview of their access control technologies. In-line network IPS only watches/defends your peering points, NIDS monitors everything if deployed properly.

    To claim that IDS is "dead" is to basically say that people should put on blinders and only watch the peering points, not a very realistic proposition in my opinion. IPS is not a replacement for IDS, those who say so either don't understand the role of IDS or they're selling something.