IDS patterns help

From: Asier (as5yer_nh9ag_at_terra.es)
Date: 04/29/04

• Next message: Wendel: "Re: IDS patterns help"
• Previous message: Don Kelloway: "Re: Oversized Sigs/Rudimentary Web Design (Was: Re: incoming mail without information in the from, to, subject fields)"
• Next in thread: Wendel: "Re: IDS patterns help"
• Reply: Wendel: "Re: IDS patterns help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 29 Apr 2004 10:13:36 GMT

hi everybody;

i am developing an ids y i have found that some of these ids,
use algorithms that search for matches in different lengths of
strings. If i am not confused, SNORT, uses 'wu-manber' algorithm
to search sings of attack inside these 'strings'.

I would like to use this algorithm in my IDS, but i do not
know exactly how is it, and how to use it; Do i have to treat
some way the patterns i have to find, or is it in the part of data,
where the patterns will be found?

My ids rules, have exactly the same structures that Snort has,
where the patterns to find must be mixed (that is, that these
can contain binary and text data -as |0A 00 03|version-). And
when one rule contains more than one pattern to find, in some
cases it is necessary to take the length in bytes, between the
coincidences of the first pattern and the next one, to be
considered an attack. It is becouse of this, where i am confused
about the way of treatment i have to make of the patterns before
using 'wu-manber' algorithm.

Please, could anybody explain me, or give me a tint about how to
use this algorithm and where can i found the source?

And in order to my implementation, does anybody know if there is
a perl module for this algorithm?

Thank you very very much in advance ;-)

---

• Next message: Wendel: "Re: IDS patterns help"
• Previous message: Don Kelloway: "Re: Oversized Sigs/Rudimentary Web Design (Was: Re: incoming mail without information in the from, to, subject fields)"
• Next in thread: Wendel: "Re: IDS patterns help"
• Reply: Wendel: "Re: IDS patterns help"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: 16-bit Block Cipher ... query IDs for a small DNS library I'm writing. ... entropy per ID subject to the desired non-repetition period. ... does require you to keep an array of all possible IDs in memory (128kb ... The "searchable queues" algorithm is well ... (sci.crypt) Re: Python for Reverse Engineering ... Brad Tilley writes: ... > it's impossible to figure out exactly how the algorithm works. ... > program to identify patterns in the strings and then produce strings ... > with similar patterns. ... (comp.lang.python) Re: encryption with python ... you should keep the algorithm to generate the IDs secret. ... But beware of the "rubber hose cryptanalyitic attack". ... James Stroud ... (comp.lang.python) Re: Serialisation & Memory adresses ... In my method, if a clone id is generated in one milisec, a new one will replace ... I think you misunderstand where the Oalgorithm comes from. ... isn't from needing to re-generate ids due to collisions. ... It's size is thus the number of serials ... (rec.games.roguelike.development) RE: ISS - virtual patching ... I will summarize ISS' QA lifecycle. ... If the algorithm appears ... IDS sensors within our Managed Services organization before the update ... algorithm will be initially released without blocking enabled. ... (Focus-IDS)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.misc  > 2004-04