Hosting Provided By

Re: [Snort-sigs] Ultimate Rule List

From: David Wilburn <bug(at)gecko.roadtoad.net>
Date: Mon May 19 2003 - 12:55:05 EDT

On Mon, May 19, 2003 at 07:47:25AM -0700, Greg Powell wrote:
> In theory is there an ultimate rule set that could be written to reduce

First off, an IDS does not block anything, it detects things. If you are using some sort of active response or automatic filtering in your NIDS without EXTREME care, you need to get your head examined.

Secondly, your rules will need to be tuned properly for your environment, so there is no single "ultimate rule set." There will be rules that are on by default in the snort rules that are inappropriate in your environment. Try seeing if there are a handful of hosts responsible for the vast majority of your false positives, and use Snort variables to have your ruleset ignore those hosts for the rules that generate the false positives. Consider disabling some of the rules outright, if filtering isn't practical for your needs. You might find that the regular old Snort ruleset works quite well for you if you spend just a bit of time tuning it.

There would be a cpu/memory tradeoff, certainly. However, the biggest tradeoff would be in terms of rule flexibility in catching modified or wholly unknown attack tools.

With a signature-based IDS, you've basically got two choices: 1) make your signatures very specific to the known exploits, or 2) make your signatures general enough that they can catch modified or unknown attack tools.

With #1, you will generally have a lower false positive rate, but also a higher false negative rate (meaning you just won't catch modified or unknown tools). It would be trivial for a bad guy to slightly modify the exploits to work around the signatures, or to use one of several publically available tools for automatically altering the exploit. You won't catch anyone but the script kiddies.

With #2, often you'll target your signatures to look for accesses of vulnerable functions, or more generic oddities. You'll probably get a higher false positive rate, but you'll also probably have a much greater chance of catching modified attack tools or previously unknown attack methods. There's no guarantee, of course, and anyone with half a brain accepts the fact that no IDS will ever catch the "really really really bad guys," but at least you've got a leg up on the folks who are slightly more evolved than hamsters and script kiddies (but I repeat myself).

Do you need help?

It varies from rule to rule, of course, but most of the official rules appear to me to follow method #2.

-Dave

This SF.net email is sponsored by: If flattening out C++ or Java code to make your application fit in a relational database is painful, don't do it! Check out ObjectStore. Now part of Progress Software. http://www.objectstore.net/sourceforge

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Mon May 19 13:36:38 2003

This message: [ Message body ]
Next message: Magnus Larsson: "[Snort-sigs] Virus sig for worm_palyh.a and pe_ganda.a?"
Previous message: Matt Kettler: "Re: [Snort-sigs] VIRUS_RULES"
In reply to Greg Powell: "[Snort-sigs] Ultimate Rule List"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:28 EDT