Monday, January 07, 2008

Snort Report 12 Posted

My 12th Snort Report titled Snort Frequently Asked Questions is posted. From the start of the article:

Service provider takeaway: Snort isn't perfect. In this tip, service providers will learn the answers to frequently asked questions about Snort's usage and limitations.

In this edition of the Snort Report, I address some of the questions frequently asked by service providers who are users or potential users of Snort. I say "potential users" because some people hear about Snort and wonder if it can solve a particular problem. Here I hope to provide realistic expectations for service providers using Snort.


Again, please note I did not write the words "Snort isn't perfect." The editor did. This is one of the aspects of the Snort Report I do not control. In this article I address these questions.

  1. Can I use Snort to protect a network from denial-of-service attacks?

  2. Can Snort decode encrypted traffic?

  3. Can Snort detect layer 2 attacks?

  4. Can Snort log flows or sessions?

  5. Can Snort rebuild content from traffic?


If you like this article and have your own Snort questions, please post them here as comments. Thank you.

4 comments:

Jared Evans said...

I'm a fan of your network security blog.

Do you know of any recent updates about running Snort_inline on a FreeBSD bridge? It's my understanding that FreeBSD as it currently stands isn't capable of sending packets to Snort_inline when the machine is configured as a bridge.

It would be an ideal combination!

Richard Bejtlich said...

Jared,

I recommend submitting your question here:

http://www.inliniac.net/blog/

I agree -- it would be great.

Michael Cloppert said...

Richard,

I'd love to know why Snort can still not handle gzip-compressed HTML content. The AV industry seems to have solved this for scanning a file, I'm not sure why Sourcefire cannot for scanning a TCP session. This may impact inline protection, but should at least be available for out-of-band detection, and represents a major detection gap.

Rgds,
Michael

Jared Evans said...

Thanks for the lead! I just asked the same thing over there.