Jason wrote:
My $.02
If you threshold the rules effectively suppressing until you get
multiple fires do you present evasion cases?
Yes, it's possible. I've seen few cases where a single web page full or
porn doesn't hit 3 or 4 times though, so the odds of hitting the
threshold are pretty good on bad traffic, and lower for legit traffic.
But you make a good point.
Will it really solve the problem? A website about the state of Virginia
is sure to fire even with threshold rules. What about virgin air?
Yes, that is true, and those are the falses I hope to eliminate. I am
tired of reading alerts about virginia, and stuff from WebMD. :) I would
hope that this will slow those down, but they'll not eliminate it
completely.
If you threshold to suppress after a number if hits for a period of time
do you create evasion cases? Hmmmm. I will browse to a Virginia site
first then go to virgin airways then go look at porn.
If you're really aware of and understand IDS, and know these rules are
running on your net, you'll realize this is easy to circumvent. Surf
through an ssl tunnel to an anonymizer, find sites with images only, or
bring in your own on a usb drive. :) There are many many ways around
all of these. The only people these catch are the really dumb ones. (No
offense intended if you have been caught :) ). If you're in an
environment where that's against policy and you do it anyway then you're
not likely the brightest bulb. Those would be the targets for these rules.
It seems inappropriate to threshold the rules since the acceptable level
of alerts and potential false positive and negative are a decision for
the administrator. I personally have come to believe that there should
be no official porn rules and they should me made a contrib at most.
There's value to that argument, but I disagree. I think the official
rules should have the basic rules for all categories. The local admin
should be making the choice to disable what they don't care about,
rather than have to read every rule to turn on what they want. Far fewer
opportunities for mistakes when you're turning off rather than turning on.
Can you elaborate on why you think the porn rules should be off by default?
Matt
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
