IDS mailing list archives
RE: snort signature analysis tools
From: "Hazel, Scott A." <Scott.Hazel () unisys com>
Date: Fri, 14 Jan 2005 10:58:22 -0500
When you talk about intersecting rules, what data would you like to see intersecting? I speculate the critical information would be port/protocol info as well as payload string matches. A simple example is to find all rules that monitor port 80 or look for "package.exe" in the packet data. Seems like you could also achieve this using a grep search of the rule files. Some savvy programming could even process the rules into their respective fields, then import that info to a DB for relational searches. Having said all that, I'll qualify my programming experience ends with the ability to spell programming. ;-) Is this along the lines of what you're looking for Scott? Scott H. -----Original Message----- From: Martin Roesch [mailto:roesch () sourcefire com] Sent: Tuesday, January 11, 2005 11:01 PM To: Scott Kelly Cc: focus-ids () securityfocus com Subject: Re: snort signature analysis tools Hi Scott, I don't think there are any tools like that out there currently. -Marty On Jan 7, 2005, at 11:48 AM, Scott Kelly wrote:
-----Original Message----- From: Martin Roesch [mailto:roesch () sourcefire com] Sent: Friday, January 07, 2005 6:48 AM To: Scott Kelly Cc: focus-ids () securityfocus com Subject: Re: snort signature analysis tools What do you mean by overlaps/collisions? Rules that cover the same attack, duplicates, rules that will "cover" other rules and prevent them from firing?Maybe "intersecting rules" would be a better description. Is there a way, given an existing rule set, to determine the uniqueness of a proposed rule, to detect (interesting) intersections with other rules? Thanks, Scott
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Discover. Determine. Defend. roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Attachment:
smime.p7s
Description:
Current thread:
- snort signature analysis tools Scott Kelly (Jan 06)
- Re: snort signature analysis tools Martin Roesch (Jan 08)
- <Possible follow-ups>
- RE: snort signature analysis tools Scott Kelly (Jan 10)
- Re: snort signature analysis tools Martin Roesch (Jan 12)
- RE: snort signature analysis tools Hazel, Scott A. (Jan 17)
- Re: snort signature analysis tools Chris Green (Jan 19)
- Re: snort signature analysis tools Jose Nazario (Jan 20)
- Re: snort signature analysis tools Chris Green (Jan 19)