[HN Gopher] Snort - Network Intrusion Detection and Prevention S... ___________________________________________________________________ Snort - Network Intrusion Detection and Prevention System Author : pmoriarty Score : 40 points Date : 2022-05-27 20:11 UTC (2 hours ago) (HTM) web link (www.snort.org) (TXT) w3m dump (www.snort.org) | smashed wrote: | How relevant is a rule based IDS in today's environment? | | With most everything fully encrypted, what's left for the rules | to detect? If I remember correctly, one of the first performance | optimization recommended by snort/suricata is to detect and skip | encrypted traffic, to not waste cpu cycles on random bits. | | If a malware wants to exfiltrate data or receive commands from a | remote command and control, won't they simply masquerade their | traffic as regular outgoing https requests and bypass the IDS | easily? | xvector wrote: | Ban outgoing encrypted traffic. Terminate TLS at the load | balancer. | midislack wrote: | I used to run snort but I don't like the "buying rules" thing | they do. | floatinglotus wrote: | [deleted] | bikingbismuth wrote: | As much as I love IDS, I am wondering the same. | saul_goodman wrote: | "I've heard of it, therefore everyone has heard of it" | pmoriarty wrote: | From HN's Guidelines[1]: | | _" On-Topic: Anything that good hackers would find | interesting."_ | | Also: | | _" Please don't complain that a submission is inappropriate. | If a story is spam or off-topic, flag it."_ | | [1] - https://news.ycombinator.com/newsguidelines.html | GordonS wrote: | Pretty sure I was using Snort literally about 20 years ago. | Very strange. | linsomniac wrote: | Snort releasing 3.0 seems like news to me... | teh_klev wrote: | Snort 3 was released in January 2021: | | https://blog.snort.org/2021/01/snort-3-officially- | released.h... | fnordpiglet wrote: | Even as a someone who has used snort and have been aware if | it for a long time I was surprised to read about the new | release. Even if it's stale a lot of folks I guess are just | being made aware! Btw, the blog you linked is a lot more | informative than OPs post. | graycat wrote: | > Snort is the foremost Open Source Intrusion Prevention System | (IPS) in the world. Snort IPS uses a series of rules that help | define malicious network activity and uses those rules to find | packets that match against them and generates alerts for users. | | At IBM's Watson lab, I tried _rules_ and was not thrilled. | | E.g., there was no way to know what the false alarm rate was or | to adjust it or know what change in the false alarm rate an | particular adjustment would make. | | And the rate of missed detections was also a problem. For that, | for the highest possible detection rate, there is the Neyman- | Pearson result, and we should at least try to do something | similar in practice! | | And to write the rules, it appeared needed an _expert_ in the | system being monitored. | | So I worked up some solutions, responses to these issues, with | some math, and published. | | But the people using _rules_ are correct! Rules are what the | market wants! | tptacek wrote: | This is one of the oldest problems in network security. Rule- | based detection systems converge on antivirus's effectiveness | (or lack thereof). But anomaly systems have almost universally | failed in practice, no matter what the anomaly model is, and | people have come up with lots of them. I can rattle off reasons | why model-based systems are hard to operationalize. | bikingbismuth wrote: | The first major piece of software I ever wrote and pushed to | production was a rules manager/updated for Suricata (essentially | open source Snort). As someone who didn't have a CS background | and was self taught, it felt momentous. | | I have since left that position so I can't see the code, but I am | sure it was appalling. Even with that, I will also have a warm | and fuzzy spot for Snort/Suricata. | tssva wrote: | I don't know that I would describe Suricata as "essentially | open source Snort" since Snort itself is licensed under the | GPLv2. | 6502nerdface wrote: | GP was probably referring to the closed rulesets: | https://www.snort.org/products | wswope wrote: | Is Snort useful at all on a home network level? E.g. for | detecting if some insecure embedded device on the network has | been hacked and is spamming all the other devices with spray-and- | prays? | | If not, is there a lighter IDS that would be? Curious to know | what the SOTA options are for non-enterprise network security. | kristianpaul wrote: | Did you know that Luca Deri NTOP project was intended first as a | NIDS? | tptacek wrote: | I don't know that it started out that way, but it definitely | was (and still is) a network security tool for people, and was | part of a mid-aughts zeitgeist of flow-based detection tools. | nonane wrote: | Does anyone know of a good snort alternative? Any recommendations | for a company that runs mainly off AWS? | iamtheworstdev wrote: | AWS network firewall loaded with suricata rules? | linsomniac wrote: | Please change title to "Snort 3.0 - Network Intrusion Detection | and Prevention System" to make it clear there has been a new | release. | [deleted] ___________________________________________________________________ (page generated 2022-05-27 23:00 UTC)