Re: [Snort-users] How does snort do packet signature detection?

From: Matt Kettler <mkettler(at)evi-inc.com>
Date: Thu Oct 02 2003 - 13:20:30 EDT

At 11:32 AM 10/2/2003, Chhabria, Kavita - Apogent wrote:
>Can somebody please explain me in simple words, what is a packet signature

Snort can inspect a wide variety of things about a packet. Header fields, port numbers, flags, and it can also do text searches on the packet data and it can track the state of TCP connections.

In simplified terms typical IDS signatures are to look for things like:

  alert on anything from any port to tcp port 80, which is flowing to a server, which contains the string "/bin/sh"

Which would look for someone sending a request to your webserver containing /bin/sh.. which is typical of a shell exploit of some sort.

But the signatures can be written to look for just about anything, and are written from the study of exploitation of specific kinds of vulnerabilities. Common techniques for exploiting webservers, mailservers, dns servers, as well as some generic rules that look for typical exploit payloads like nop-sleds, execution of shells, etc.

---

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

---

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users Received on Thu Oct 2 13:35:32 2003