IDS mailing list archives
Re: Automated IDS Signature Generator?
From: Christian Kreibich <christian () whoop org>
Date: 23 Jun 2003 04:16:02 +0100
Hi, On Tue, 2003-06-17 at 23:34, quakeroats () hushmail com wrote:
IDS Folk, Is there a utility/function/program that automatically generates an IDS signature based on a recording of a monitored exploit attempt? For example, say the exploit is brought into an isolated lab environment, and we record the whole attack. At the end of the attack, this "thing" spits out automated scripts for any number of IDS solutions. Seems like it would be something that companies like Snort/Symantec/Dragon/etc. might already have, but I've never heard of such a utility.
yup, it's called Honeycomb and was already pointed out by Toby. Sorry for the slow reply, I've been buried in work. http://www.cl.cam.ac.uk/~cpk25/honeycomb/ Honeycomb is a system that applies pattern matching and protocol analysis techniques to traffic going through honeyd[1]. It is an experimental system that currently is good at detecting invalid traffic characteristics (christmas packets etc) and particularly worms, due to their relatively large size. Calling such a system useless is quite naive -- potential applications abound. The system has created extrememly good signatures for the common worms in my testing, without any hardcoded knowledge of these worms. People have been using honeypots for a while now to trap spam by running fake open relays, Honeycomb could be used to look for patterns in spam to dynamically create spam filters, for example. Niels Provos is currently working on that. Certainly it won't prevent new attacks or spot every single oddity on your network, but that's not the goal. The goal is to create signatures for things that happen repeatedly, and by looking for such traffic on a honeypot you get a damn good chance that you're looking at something malicious. If you're interested, check out the poster or the slides of the talk on the site above. [1] http://niels.xtdnet.nl/honeyd/ -- ________________________________________________________________________ http://www.whoop.org ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Automated IDS Signature Generator? quakeroats (Jun 18)
- Re: Automated IDS Signature Generator? Anton A. Chuvakin (Jun 19)
- Re: Automated IDS Signature Generator? Stefano Zanero (Jun 19)
- Re: Automated IDS Signature Generator? Christian Kreibich (Jun 22)
- <Possible follow-ups>
- RE: Automated IDS Signature Generator? Kohlenberg, Toby (Jun 18)
- RE: Automated IDS Signature Generator? Kohlenberg, Toby (Jun 19)