RE: snort signature analysis tools
From: Hazel, Scott A. (Scott.Hazel_at_unisys.com)
Date: 01/14/05
- Previous message: Rainer Duffner: "Re: newbie quetsions"
- Maybe in reply to: Scott Kelly: "snort signature analysis tools"
- Next in thread: Chris Green: "Re: snort signature analysis tools"
- Reply: Chris Green: "Re: snort signature analysis tools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 14 Jan 2005 10:58:22 -0500 To: <focus-ids@securityfocus.com>
When you talk about intersecting rules, what data would you like to see
intersecting? I speculate the critical information would be port/protocol
info as well as payload string matches. A simple example is to find all
rules that monitor port 80 or look for "package.exe" in the packet data.
Seems like you could also achieve this using a grep search of the rule
files. Some savvy programming could even process the rules into their
respective fields, then import that info to a DB for relational searches.
Having said all that, I'll qualify my programming experience ends with the
ability to spell programming. ;-) Is this along the lines of what you're
looking for Scott?
Scott H.
-----Original Message-----
From: Martin Roesch [mailto:roesch@sourcefire.com]
Sent: Tuesday, January 11, 2005 11:01 PM
To: Scott Kelly
Cc: focus-ids@securityfocus.com
Subject: Re: snort signature analysis tools
Hi Scott,
I don't think there are any tools like that out there currently.
-Marty
On Jan 7, 2005, at 11:48 AM, Scott Kelly wrote:
>> -----Original Message-----
>> From: Martin Roesch [mailto:roesch@sourcefire.com]
>> Sent: Friday, January 07, 2005 6:48 AM
>> To: Scott Kelly
>> Cc: focus-ids@securityfocus.com
>> Subject: Re: snort signature analysis tools
>>
>> What do you mean by overlaps/collisions? Rules that cover the same
>> attack, duplicates, rules that will "cover" other rules and prevent
>> them from firing?
>>
>
> Maybe "intersecting rules" would be a better description. Is there a
> way, given an existing rule set, to determine the uniqueness of a
> proposed rule, to detect (interesting) intersections with other rules?
>
> Thanks,
>
> Scott
>
>
>
>
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Discover. Determine. Defend. roesch@sourcefire.com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
- application/x-pkcs7-signature attachment: smime.p7s
- Previous message: Rainer Duffner: "Re: newbie quetsions"
- Maybe in reply to: Scott Kelly: "snort signature analysis tools"
- Next in thread: Chris Green: "Re: snort signature analysis tools"
- Reply: Chris Green: "Re: snort signature analysis tools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
