Re: IDS: Problem in snort 1.3

[Ron Gula <rgula@network-defense.com>]

FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
USUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------
---

>> Hi, i think there's a problem in  the new NISD called snort,
>> It read, and apply rules in order but if one match, other
>> are not considered. Look at this example...
>> i put this two rules in order in my ruleset-file
>
>Fabio, not a bug, but standard procedure.  Most alerting/firewalling
>software operates like this.  For example, FW-1 and Cisco ACLs 
>both filter and log based on the same principle.  If an event 
>generates an alert, that event is then dropped and no longer
>compared to any other rules.  The last thing you want is multimple 
>emails of the same event.

True, but someone source-routing a PHF attack or running it through
fragrouter is a different event than just the PHF attack. If someone
configures their IDS to ignore certain types of attacks, then all
an attacker has to do to avoid the IDS is to make sure that portion
of the attack triggers first and is subsequently ignored. With Dragon, 
every packet or data stream can have multiple events associated with 
it. 

Ron Gula
Network Security Wizards