[TriLUG] best place for Snort signatures?

Mike Johnson mike at enoch.org
Thu Dec 2 23:09:18 EST 2004 

Aaron S. Joyner wrote:

> What would you recommend instead, friendly security Guru?  :)  (You're 
> not allowed to just leave it hangin' like that... )   :)

So there's signature based IDSs and anomaly based IDSs.  Signature based 
IDSs are only as good as their signatures.  Until recently, I used to 
think this was good enough.  I know it sounds awful theoretical, that 
something might end up on your network that there wasn't a signature 
for, but I've seen it.  I've seen stuff appear on a network that even 
the virus vendors don't have signatures for.  Anomaly (behavior) based 
IDSs don't require your signatures to be up to date.  They detect bad 
behavior, an email program attempting to invoke a shell, for instance. 
Of course, that usually requires the software to be running on a host.

Now, the problem with anomaly based IDSs is they have to learn, they 
have to be trained.  A signature based IDS can be immediately effective. 
  You put one into place and it'll start doing its thing.  And if you do 
keep them up to date, they'll do a pretty good job.  But you must be 
careful, put the wrong signature in place and you get a lot of false 
positives.  Worse, you get a lot of false negatives, while feeling that 
you've somehow improved your security.

Unfortunately, I'm not aware of any free or open source anomaly based 
IDSs.  But don't go the signature based IDS route with closed eyes. 
They really are only as good as their signatures.  You should also keep 
in mind that they have no history.  You cannot install a new signature 
and ask 'have I seen this behavior before?'  My suggestions for open 
source IDS are threefold: snort, tripwire, and argus.  Snort is a very 
solid IDS with a good community and a wide variety of signatures. 
Tripwire will act, somewhat, as an anomaly based IDS.  It can detect 
changes in files that a signature based IDS wouldn't catch.  And third, 
argus, can sort of act as a network anomaly based IDS.  It can be used 
to look for patterns, it can be used with snort, and it can be used to 
ask 'after the fact' questions.  You can look back in time and see if 
any of your servers connected, or attempted to connect, to a certain 
network port, or a certain server.  Say you see a list posted of 
compromised webhosts that are used as relay for intruders to download 
additional malware.  Combine snort and argus and you can detect if you 
had a system respond to the intrusion attempt.  With argus, you can also 
look for responses.  Check if an incoming response to port 80 is met 
with a response.

Like all things security, IDS should be done in layers.  Don't throw 
snort out there and think you're done -- you aren't.  It's not the be 
all, end all, and there -is- maintenance.  If you don't keep those 
signatures up to date, you -are- done.

Bad security is worse than no security.

Mike

More information about the TriLUG mailing list