Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Snort Tool Evaluation

from [Dirk Geschke] Network Security [Permanent Link]
Subject: Re: [Snort-users] Snort Tool Evaluation
Date: Wed, 29 Sep 2004 09:41:34 +0200 
Hi Ty,


I did read this book actually, and I'm not proclaiming it's a bible or
anything.  In fact, it's little more than a tool reference, listing
switches to the tools and options in the interfaces for third party
tools related to snort.  But, it does cover a majority of the tools
and this was why I was suggesting this to Jo.  To get a handle on the
tools mentioned in this book related to snort and extract pro's and
con's for using each one.


but even this is not a good survey at all. Only ACID and SnortCenter
are mentioned in some more detail. But most of it covers the topic
how to install it and the basic usage. There are better guides for
free out there.

The really interesting parts like performance optimization or for
example how to use ACID effectively are missing ob by far too short.

The additional tools for snort IDS management in chapter 12 are 
mostly only mentioning additional tools mostly with a screenshot 
and covering less than a page for each tools. It does not mention
any advantages or disadvantages of the tools at all. This is not
really useful except that the tools where mentioned...

The author does not even mention the memory mapped version
of libpcap for linux. The usage of taps for monitoring a
network are limited to one sentence where the existense is
stated.

The set of rule options is incomplete and not mentioning newer
ones like byte_test, byte_jump, isdataat, distance, within,....

The given rule options are as precisely as the manual coming with 
snort. So if you don't understand them then this doesn't help you
in any sense.

The recommendation for most rules and preprocessors are to 
disable them if they generate too much false-positive

Or really funny are the lists where rules are disabled and
how to do this, simply put a # at the beginning of a line.

But showing 30 lines with an disabled default flow-portscan
prepocessor like this is really a waste of paper:

---
... This preprocessor is disabled by default (it can still be
considered as test code). The lines will look something like
this:

# preprocessor flow-portscan: \
#       talker-sliding-scale-factor 0.50 \
#       talker-fixed-threshold 30 \
#       talker-sliding-threshold 30 \
#       talker-sliding-window 20 \
#       talker-fixed-window 30 \
#       scoreboard-rows-talker 30000 \
#       server-watchnet [10.2.0.0/30] \
#       server-ignore-limit 200 \
#       server-rows 65535 \
#       server-learning-time 14400 \
#       server-scanner-limit 4 \
#       scanner-sliding-window 20 \
#       scanner-sliding-scale-factor 0.50 \
#       scanner-fixed-threshold 15 \
#       scanner-sliding-threshold 40 \
#       scanner-fixed-window 15 \
#       scoreboard-rows-scanner 30000 \
#       src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
#       dst-ignore-net [10.0.0.0/30] \
#       alert-mode once \
#       output-mode msg \
#       tcp-penalties on
---

This is what I call ugly. And the whole other parts are similar
like this, there are many printings of default snort.conf passages
and so on.

Or disabling all preprocessors and rules which would look for traffic
which could not pass a firewall is really ugly. Or can you ensure that
a firewall work perfect without any errors? 
 

I also did read Snort 2.1 Intrustion Detection Second Edition Upgrade
and yes, I must concurr with and second your opinion.  There is no
better reference or doc that covers snort in all the ways that an
admin needs to know.


Oh, I think there are more good books on snort out there but the
O'Reilly book is definitively not a good one. I don't understand
O'Reilly here, normally they have very good books and most of the
time - like this time - I buy their books blindly. This one is not
worse the money...

Best regards

Dirk



-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] (no subject), Peter Osterberg
Next by Date:  Re: [Snort-users] ERROR Unable to open rules file: etc\snort_conf or etc\etc\snort_conf, sekure
Previous by Thread:  Re: [Snort-users] Snort Tool Evaluation, Ty Bodell
Next by Thread:  RE: [Snort-users] Snort Tool Evaluation, Harper, Patrick
Indexes:  [Date] [Thread] [Top] [All Lists]