Re: snort signature analysis tools

From: Chris Green (
Date: 01/18/05

  • Next message: nick black: "Re: IDS: Snort detecting distributed syn floods"
    Date: Tue, 18 Jan 2005 15:28:25 -0600
    To: "Hazel, Scott A." <>, <>

    On 1/14/05 9:58 AM, "Hazel, Scott A." <> wrote:

    > When you talk about intersecting rules, what data would you like to see
    > intersecting? I speculate the critical information would be port/protocol
    > info as well as payload string matches. A simple example is to find all
    > rules that monitor port 80 or look for "package.exe" in the packet data.

    Back when I worked on snort, I *really* wished I had something like this.
    It's a bit more complicated grep but it is about finding relations.

    For example, you need to know that

      alert ip any any -> any any () will match all the rules that alert tcp any
    any -> any any () will do.. Same goes for ports, and subsets of IPs.

    You'd also need to do the simple substring searches ("cmd.exe" will be set
    off by "weathercmd.exe").

    You'd also like to know that uricontent:" " and content:"%20"
    byte_test:"xxx=42" (forgot what the real syntax was) might overlap.

    It's non-trivial to write such an application but I think it would make a
    really good project for a Comp Sci person since being able to group the
    rules into overlaps would be right on the boundary of IDS performance
    grouping without the need for expensive testing hardware.


    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    Go to
    to learn more.

  • Next message: nick black: "Re: IDS: Snort detecting distributed syn floods"