[HN Gopher] Snort - Network Intrusion Detection and Prevention S...
___________________________________________________________________
Snort - Network Intrusion Detection and Prevention System
Author : pmoriarty
Score : 40 points
Date : 2022-05-27 20:11 UTC (2 hours ago)
(HTM) web link (www.snort.org)
(TXT) w3m dump (www.snort.org)
| smashed wrote:
| How relevant is a rule based IDS in today's environment?
|
| With most everything fully encrypted, what's left for the rules
| to detect? If I remember correctly, one of the first performance
| optimization recommended by snort/suricata is to detect and skip
| encrypted traffic, to not waste cpu cycles on random bits.
|
| If a malware wants to exfiltrate data or receive commands from a
| remote command and control, won't they simply masquerade their
| traffic as regular outgoing https requests and bypass the IDS
| easily?
| xvector wrote:
| Ban outgoing encrypted traffic. Terminate TLS at the load
| balancer.
| midislack wrote:
| I used to run snort but I don't like the "buying rules" thing
| they do.
| floatinglotus wrote:
| [deleted]
| bikingbismuth wrote:
| As much as I love IDS, I am wondering the same.
| saul_goodman wrote:
| "I've heard of it, therefore everyone has heard of it"
| pmoriarty wrote:
| From HN's Guidelines[1]:
|
| _" On-Topic: Anything that good hackers would find
| interesting."_
|
| Also:
|
| _" Please don't complain that a submission is inappropriate.
| If a story is spam or off-topic, flag it."_
|
| [1] - https://news.ycombinator.com/newsguidelines.html
| GordonS wrote:
| Pretty sure I was using Snort literally about 20 years ago.
| Very strange.
| linsomniac wrote:
| Snort releasing 3.0 seems like news to me...
| teh_klev wrote:
| Snort 3 was released in January 2021:
|
| https://blog.snort.org/2021/01/snort-3-officially-
| released.h...
| fnordpiglet wrote:
| Even as a someone who has used snort and have been aware if
| it for a long time I was surprised to read about the new
| release. Even if it's stale a lot of folks I guess are just
| being made aware! Btw, the blog you linked is a lot more
| informative than OPs post.
| graycat wrote:
| > Snort is the foremost Open Source Intrusion Prevention System
| (IPS) in the world. Snort IPS uses a series of rules that help
| define malicious network activity and uses those rules to find
| packets that match against them and generates alerts for users.
|
| At IBM's Watson lab, I tried _rules_ and was not thrilled.
|
| E.g., there was no way to know what the false alarm rate was or
| to adjust it or know what change in the false alarm rate an
| particular adjustment would make.
|
| And the rate of missed detections was also a problem. For that,
| for the highest possible detection rate, there is the Neyman-
| Pearson result, and we should at least try to do something
| similar in practice!
|
| And to write the rules, it appeared needed an _expert_ in the
| system being monitored.
|
| So I worked up some solutions, responses to these issues, with
| some math, and published.
|
| But the people using _rules_ are correct! Rules are what the
| market wants!
| tptacek wrote:
| This is one of the oldest problems in network security. Rule-
| based detection systems converge on antivirus's effectiveness
| (or lack thereof). But anomaly systems have almost universally
| failed in practice, no matter what the anomaly model is, and
| people have come up with lots of them. I can rattle off reasons
| why model-based systems are hard to operationalize.
| bikingbismuth wrote:
| The first major piece of software I ever wrote and pushed to
| production was a rules manager/updated for Suricata (essentially
| open source Snort). As someone who didn't have a CS background
| and was self taught, it felt momentous.
|
| I have since left that position so I can't see the code, but I am
| sure it was appalling. Even with that, I will also have a warm
| and fuzzy spot for Snort/Suricata.
| tssva wrote:
| I don't know that I would describe Suricata as "essentially
| open source Snort" since Snort itself is licensed under the
| GPLv2.
| 6502nerdface wrote:
| GP was probably referring to the closed rulesets:
| https://www.snort.org/products
| wswope wrote:
| Is Snort useful at all on a home network level? E.g. for
| detecting if some insecure embedded device on the network has
| been hacked and is spamming all the other devices with spray-and-
| prays?
|
| If not, is there a lighter IDS that would be? Curious to know
| what the SOTA options are for non-enterprise network security.
| kristianpaul wrote:
| Did you know that Luca Deri NTOP project was intended first as a
| NIDS?
| tptacek wrote:
| I don't know that it started out that way, but it definitely
| was (and still is) a network security tool for people, and was
| part of a mid-aughts zeitgeist of flow-based detection tools.
| nonane wrote:
| Does anyone know of a good snort alternative? Any recommendations
| for a company that runs mainly off AWS?
| iamtheworstdev wrote:
| AWS network firewall loaded with suricata rules?
| linsomniac wrote:
| Please change title to "Snort 3.0 - Network Intrusion Detection
| and Prevention System" to make it clear there has been a new
| release.
| [deleted]
___________________________________________________________________
(page generated 2022-05-27 23:00 UTC)