IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Intrusion Detection Evaluation Datasets

From: Seth Hall <hall.692 () osu edu>
Date: Fri, 20 Mar 2009 15:13:01 -0400
For some reason this didn't come across the list when I sent it the other night. In case it has to do with the attachments, I'll include URLs to the files here. 

On Mar 18, 2009, at 4:21 PM, Damiano Bolzoni wrote:
I have to admit I have never looked at Bro signatures, although I know it approaches the problem differently. So, I'm really curious. :)
To be completely up front about it, this script is not in a shape that I would actually run it on our network traffic. I would likely do quite a few extra cleanups and additions to it before using it. Links to the script and are two traces (a matching trace and a non-matching trace) in a zip file at included at the bottom. 

I'll include a short demo of the script here as well.

=====================
$> cp ~/bro_scripts/ids-focus_example.bro ~/bro.trunk/
$> cd ~/bro.trunk/
$> export BROPATH=./policy:.
$> ./src/bro -f"ip" -r ~/http-overflow.trace -C ids-focus_example.bro

Potential HTTP overflow attack 192.168.3.103/54074 > 128.146.216.51/http
   URL Path: /
   Attempts overflow with 2000 instances of character: "R"
=====================

ftp://ftp.infosec.ohio-state.edu/pub/users/seth/outgoing/ids-focus_example.bro
ftp://ftp.infosec.ohio-state.edu/pub/users/seth/outgoing/example-traces.zip

 .Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
Previous By Date Next
Previous By Thread Next

Current thread: