RE: snort signature analysis tools

From: Hazel, Scott A. (Scott.Hazel_at_unisys.com)
Date: 01/14/05

  • Next message: Ofer Shezaf: "RE: Specification-based Anomaly Detection"
    Date: Fri, 14 Jan 2005 10:58:22 -0500
    To: <focus-ids@securityfocus.com>
    
    
    

    When you talk about intersecting rules, what data would you like to see
    intersecting? I speculate the critical information would be port/protocol
    info as well as payload string matches. A simple example is to find all
    rules that monitor port 80 or look for "package.exe" in the packet data.

    Seems like you could also achieve this using a grep search of the rule
    files. Some savvy programming could even process the rules into their
    respective fields, then import that info to a DB for relational searches.
    Having said all that, I'll qualify my programming experience ends with the
    ability to spell programming. ;-) Is this along the lines of what you're
    looking for Scott?

    Scott H.

    -----Original Message-----
    From: Martin Roesch [mailto:roesch@sourcefire.com]
    Sent: Tuesday, January 11, 2005 11:01 PM
    To: Scott Kelly
    Cc: focus-ids@securityfocus.com
    Subject: Re: snort signature analysis tools

    Hi Scott,

    I don't think there are any tools like that out there currently.

          -Marty

    On Jan 7, 2005, at 11:48 AM, Scott Kelly wrote:

    >> -----Original Message-----
    >> From: Martin Roesch [mailto:roesch@sourcefire.com]
    >> Sent: Friday, January 07, 2005 6:48 AM
    >> To: Scott Kelly
    >> Cc: focus-ids@securityfocus.com
    >> Subject: Re: snort signature analysis tools
    >>
    >> What do you mean by overlaps/collisions? Rules that cover the same
    >> attack, duplicates, rules that will "cover" other rules and prevent
    >> them from firing?
    >>
    >
    > Maybe "intersecting rules" would be a better description. Is there a
    > way, given an existing rule set, to determine the uniqueness of a
    > proposed rule, to detect (interesting) intersections with other rules?
    >
    > Thanks,
    >
    > Scott
    >
    >
    >
    >

    --
    Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire -
    Discover.  Determine.  Defend.
    roesch@sourcefire.com - http://www.sourcefire.com
    Snort: Open Source Network IDS - http://www.snort.org
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    
    



  • Next message: Ofer Shezaf: "RE: Specification-based Anomaly Detection"