Re: snort signature analysis tools
From: Chris Green (cmgreen_at_uab.edu)
Date: 01/18/05
- Previous message: infor) urko zurutuza: "RE: Specification-based Anomaly Detection"
- In reply to: Hazel, Scott A.: "RE: snort signature analysis tools"
- Next in thread: Jose Nazario: "Re: snort signature analysis tools"
- Reply: Jose Nazario: "Re: snort signature analysis tools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 18 Jan 2005 15:28:25 -0600 To: "Hazel, Scott A." <Scott.Hazel@unisys.com>, <focus-ids@securityfocus.com>
On 1/14/05 9:58 AM, "Hazel, Scott A." <Scott.Hazel@unisys.com> wrote:
> When you talk about intersecting rules, what data would you like to see
> intersecting? I speculate the critical information would be port/protocol
> info as well as payload string matches. A simple example is to find all
> rules that monitor port 80 or look for "package.exe" in the packet data.
Back when I worked on snort, I *really* wished I had something like this.
It's a bit more complicated grep but it is about finding relations.
For example, you need to know that
alert ip any any -> any any () will match all the rules that alert tcp any
any -> any any () will do.. Same goes for ports, and subsets of IPs.
You'd also need to do the simple substring searches ("cmd.exe" will be set
off by "weathercmd.exe").
You'd also like to know that uricontent:" " and content:"%20"
byte_test:"xxx=42" (forgot what the real syntax was) might overlap.
It's non-trivial to write such an application but I think it would make a
really good project for a Comp Sci person since being able to group the
rules into overlaps would be right on the boundary of IDS performance
grouping without the need for expensive testing hardware.
Cheers,
Chris
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
- Previous message: infor) urko zurutuza: "RE: Specification-based Anomaly Detection"
- In reply to: Hazel, Scott A.: "RE: snort signature analysis tools"
- Next in thread: Jose Nazario: "Re: snort signature analysis tools"
- Reply: Jose Nazario: "Re: snort signature analysis tools"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
