Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: snort signature analysis tools

from [Chris Green] Network Security [Permanent Link]
Subject: Re: snort signature analysis tools
Date: Tue, 18 Jan 2005 15:28:25 -0600 
On 1/14/05 9:58 AM, "Hazel, Scott A." <Scott.Hazel@unisys.com> wrote:


When you talk about intersecting rules, what data would you like to see
intersecting? I speculate the critical information would be port/protocol
info as well as payload string matches.  A simple example is to find all
rules that monitor port 80 or look for "package.exe" in the packet data.


Back when I worked on snort, I *really* wished I had something like this.
It's a bit more complicated grep but it is about finding relations.

For example, you need to know that

  alert ip any any -> any any () will match all the rules that alert tcp any
any -> any any () will do.. Same goes for ports, and subsets of IPs.

You'd also need to do the simple substring searches ("cmd.exe" will be set
off by "weathercmd.exe").

You'd also like to know that uricontent:" " and content:"%20"
byte_test:"xxx=42" (forgot what the real syntax was) might overlap.

It's non-trivial to write such an application but I think it would make a
really good project for a Comp Sci person since being able to group the
rules into overlaps would be right on the boundary of IDS performance
grouping without the need for expensive testing hardware.

Cheers,
Chris


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Specification-based Anomaly Detection, (infor) urko zurutuza
Next by Date:  Re: IDS: Snort detecting distributed syn floods, nick black
Previous by Thread:  RE: snort signature analysis tools, Hazel, Scott A.
Next by Thread:  Re: snort signature analysis tools, Jose Nazario
Indexes:  [Date] [Thread] [Top] [All Lists]