Hello,
I am writing a bachelor thesis about network intrusion detection in general
and snort in special. I set up a snort based sensor in a real network.
Now I have recently tested my snort sensor (using snort 2.3.2 and latest snort
rules) with Blade Softwares IDS Informer demo version.
However, I was a bit disappointed about the results. Besides the back orifice
and the two portscan attempts, my sensor didn't detect anything else of the
remaining 7 attacks provided by IDS Informer.
In detail it didn't detect
- TCP DNS Zone Transfer
- Smurf DOS attempt
- finger search
- IIS Unicode Traps
- IIS htr Buffer Overflow
- rpc.statd exploit
- traceroute attempt
I have checked the rules and doesn't have any clue, why my sensor didn't
detect these attacks. At least from reading rule descriptions I am of the
opinion, that snort should detect all attacks.
For example I have looked at the rule for the htr Buffer Overlow. In my
opinion the rule "WEB-IIS ism.dll attempt" should be announced by this attack.
The rule searches for " .htr" in the packets with uricontent. Looking into the
tcpdumps of the IDS Informer simulated attack, I see the pattern "!.htr".
Has someone else on this list tested his sensor(s) with IDS Informer? Were the
results the same like mine?
I have also tested my sensor with generating malicious traffic with hping2 and
fragroute. The detection-engine detected the events. Furthermore I am already
running my sensor on real network traffic. It already reported incidents.
Thank you for your help,
Holger
--
Holger Mense
signature.asc
Description: Digital signature
