Re: Automated IDS Signature Generator?

• Previous message: Kohlenberg, Toby: "RE: Automated IDS Signature Generator?"
• In reply to: quakeroats_at_hushmail.com: "Automated IDS Signature Generator?"
• Next in thread: Christian Kreibich: "Re: Automated IDS Signature Generator?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <focus-ids@securityfocus.com>
Date: Wed, 18 Jun 2003 23:42:31 +0200

> Is there a utility/function/program that automatically generates an IDS
> signature based on a recording of a monitored exploit attempt?

It would be quite useless. For one thing, you must see more than one
attempt, since polymorphism is obviously an issue: so, you generally want a
signature which catches most forms of the attack. For another, you
definitely don't want it to generate false positives.

In other words you need to recognize a common pattern between different
exploits, and to avoid including legitimate traffic.

In other words, you need either a very good AI/datamining approach (still
working on it, sorry ;) or a very skilled analyst :)

Stefano

-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------

• Previous message: Kohlenberg, Toby: "RE: Automated IDS Signature Generator?"
• In reply to: quakeroats_at_hushmail.com: "Automated IDS Signature Generator?"
• Next in thread: Christian Kreibich: "Re: Automated IDS Signature Generator?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]