IDS mailing list archives

RE: snort signature analysis tools

From: "Hazel, Scott A." <Scott.Hazel () unisys com>
Date: Fri, 14 Jan 2005 10:58:22 -0500


When you talk about intersecting rules, what data would you like to see
intersecting? I speculate the critical information would be port/protocol
info as well as payload string matches.  A simple example is to find all
rules that monitor port 80 or look for "package.exe" in the packet data.  

Seems like you could also achieve this using a grep search of the rule
files. Some savvy programming could even process the rules into their
respective fields, then import that info to a DB for relational searches.
Having said all that, I'll qualify my programming experience ends with the
ability to spell programming. ;-)  Is this along the lines of what you're
looking for Scott? 

Scott H.   


-----Original Message-----
From: Martin Roesch [mailto:roesch () sourcefire com] 
Sent: Tuesday, January 11, 2005 11:01 PM
To: Scott Kelly
Cc: focus-ids () securityfocus com
Subject: Re: snort signature analysis tools

Hi Scott,

I don't think there are any tools like that out there currently.

      -Marty

On Jan 7, 2005, at 11:48 AM, Scott Kelly wrote:

-----Original Message-----
From: Martin Roesch [mailto:roesch () sourcefire com]
Sent: Friday, January 07, 2005 6:48 AM
To: Scott Kelly
Cc: focus-ids () securityfocus com
Subject: Re: snort signature analysis tools

What do you mean by overlaps/collisions?  Rules that cover the same 
attack, duplicates, rules that will "cover" other rules and prevent 
them from firing?


Maybe "intersecting rules" would be a better description. Is there a 
way, given an existing rule set, to determine the uniqueness of a 
proposed rule, to detect (interesting) intersections with other rules?

Thanks,

Scott

--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire -
Discover.  Determine.  Defend.
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Attachment: smime.p7s
Description:

Current thread:

snort signature analysis tools Scott Kelly (Jan 06)
- Re: snort signature analysis tools Martin Roesch (Jan 08)
- <Possible follow-ups>
- RE: snort signature analysis tools Scott Kelly (Jan 10)
  - Re: snort signature analysis tools Martin Roesch (Jan 12)
- RE: snort signature analysis tools Hazel, Scott A. (Jan 17)
  - Re: snort signature analysis tools Chris Green (Jan 19)
    - Re: snort signature analysis tools Jose Nazario (Jan 20)