30 Nov 2001 aturner   » (Journeyer)

Well I've figured out how I'm going to impliment a performance fix for my new version of tcpreplay. Hopefully have that ready sometime next week.

I've also spent about 20 hours looking a Snort signatures this week. The web signatures (mostly) to be exact. Honestly, the more I read them, the more I've come to realize a simple fact:

99.9% of Snort signatures are pure crap.

Out of the 700 signatures I've read, they will either generate false positives like mad (Snort rarely looks for the attack, generally just the CGI/ASP/whatever that is vulnerable. So even if it is a perfectly vaild request, you'll get an alarm.)

And the few times they do look for the attack, either their test is horribly broken or it's so easy to avoid (don't put the cgi parameter next to the ?) that the signature will only pick up script kiddies and morons.

Honestly, I've been running snort for over a year now, and always thought it was a bit overzealous in reporting attacks, and now I know why. IMHO, the only reason to keep snort on my disk is because in sniffer mode, it has a nicer output than tcpdump. Oh well...

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!