Re: Snort signature packet generator

From: ADT (synfinatic_at_gmail.com)
Date: 11/09/04

Next message: Brian Smith: "RE: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"

Previous message: Don Parker: "Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
In reply to: adam.w.hogan: "RE: Snort signature packet generator"
Next in thread: Martin Roesch: "Re: Snort signature packet generator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 9 Nov 2004 10:59:37 -0800
To: focus-ids@securityfocus.com

IMHO, using a scanner such as Nessus would only train a neural network
how to detect a scanner. Scanners in general, try not to send actual
exploits because it'll break the target. Rather they non-intrusive
techniques such as banner grabbing to determine if a target is
vulnerable.

As earlier mentioned, Snot/Stick don't do TCP 3way handshakes and
hence don't generate legit traffic which would be useful to train a
neural net either. Your best bet is to either get a bunch of
exploits and run them (easy to find, but dangerous if you don't know
what you're doing) or find pcap's of actual exploits and use something
like tcpreplay to train (much harder to find, but safer).

-Aaron

-- 
http://synfin.net
On Mon, 8 Nov 2004 10:30:47 -0500, adam.w.hogan <adam.w.hogan@delphi.com> wrote:
> 
> There is a program to do just that: Snot [0].  But this strikes me as a very inaccurate way to train a neural network.  You would be using purely crafted packets which may or may not appear as an actual attack would.  Snot is made to fill up snort logs, and the packets it creates are done purely to trip rules, not appear 100% valid.  Instead I would download exploits and scanners like Nessus and use actual attacks to train your neural net.
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Next message: Brian Smith: "RE: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"

Previous message: Don Parker: "Re: TippingPoint Releases Open Source Code for FirstIntrusionPrev ention Test Tool, Tomahawk"
In reply to: adam.w.hogan: "RE: Snort signature packet generator"
Next in thread: Martin Roesch: "Re: Snort signature packet generator"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Help with Training a Neural Network
... I'm trying to make neural network in matlab and then train it. ... This is so that each column in the variable target has the same data ... there i import the first data-set, ...
(comp.soft-sys.matlab)
Help with Training a Neural Network
... I'm trying to make neural network in matlab and then train it. ... This is so that each column in the variable target has the same data ... there i import the first data-set, ...
(comp.soft-sys.matlab)
Re: neural network: training for matrix dimension >2 possible?
... target: ... unfourtunately i can't reduce the input dataset. ... Are there any possibilities to train a neural network with these data? ...
(comp.soft-sys.matlab)
neural network: training for matrix dimension >2 possible?
... target: ... Are there any possibilities to train a neural network with these data? ...
(comp.soft-sys.matlab)
... simple way to train a Neural Network using the PSO Toolbox ... when i compile trainpso file that gives ...
(comp.soft-sys.matlab)