IDS mailing list archives

Re: Intrusion Detection Evaluation Datasets

From: Ravi Chunduru <ravi.is.chunduru () gmail com>
Date: Thu, 19 Mar 2009 20:58:14 -0700

Hi,

I asked my colleagues and did some search myself. I am not sure
whether it is possible to convert from set of bytes to a integer value
and check that value within a range of arbitrary values using pcre
expression.  Any ideas?

Thanks
Ravi

On Thu, Mar 19, 2009 at 1:33 PM, Joel Esler <eslerj () gmail com> wrote:

On Mar 19, 2009, at 4:30 PM, Paul Schmehl wrote:

--On Thursday, March 19, 2009 14:33:29 -0400 Joel Esler <eslerj () gmail com>
wrote:

Would this be an appropriate use for byte_test or byte_jump?


That's what I was referring to when I mentioned applications.  The problem
with http traffic is that it's much more freeform and doesn't lend itself to
byte_test and byte_jump type tests.



I'd probably use a combination of isdataat and pcre for this.  As Marty
said, 99.9999% of things can be found with plaintext Snort rules.  Anything
else, you can use an .so rule for.

--
Joel Esler T: 302-223-5974 (-) Gtalk: jesler () sourcefire com
[m]

Current thread:

Re: Intrusion Detection Evaluation Datasets, (continued)
- - - Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Stuart Staniford (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 20)
    - Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 20)
    - Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Joel Esler (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Joel Esler (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 20)
    - Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 20)
    - Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 18)
    - Re: Intrusion Detection Evaluation Datasets Martin Roesch (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Jim Sansing (Ritasa LLC) (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Martin Roesch (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
    - Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 20)

(Thread continues...)