Snort mailing list archives
Re: generating snort rules automatically
From: Charles <quanxing () Eng Auburn EDU>
Date: Thu, 24 Jan 2002 13:40:37 -0600 (CST)
Thank you very much! charles On Thu, 24 Jan 2002, Ryan Russell wrote:
On Thu, 24 Jan 2002, Charles wrote:Generating rules from Tcpdump or other traffic trace data based on some analysis results. Are all the current snort rules written by humans?I believe every one of them was written by a human, albeit some with a cut-and-paste, I'm sure. Even with a TCPDump file to help, someone still has to decide which parts are the problem. For example, which portion of the TCP data to use, which TCP flags go with it, whether the port numbers are important, etc..Snort is capable of checking for pretty much every piece of a header, so if you simply converted a whole packet to a Snort rule, you'd probabaly never pick up another match, because you'd be looking for identical source and destination ports, sequence numbers, etc.. which change each time for most rules. In a handful of other cases, it's the sequence number that is important, because of the way the exploit is writen. Ryan
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort is too quiet! sirikanya (Jan 21)
- Re: Snort is too quiet! Guillaume (Jan 21)
- <Possible follow-ups>
- Re: Snort is too quiet! sirikanya (Jan 21)
- Re: Snort is too quiet! Guillaume (Jan 21)
- Re: Snort is too quiet! sirikanya (Jan 23)
- Re: Snort is too quiet! Guillaume (Jan 24)
- generating snort rules automatically Charles (Jan 24)
- Re: generating snort rules automatically Ryan Russell (Jan 24)
- Re: generating snort rules automatically Charles (Jan 24)
- Re: generating snort rules automatically Ryan Russell (Jan 24)
- Re: generating snort rules automatically Charles (Jan 24)
- Re: Snort is too quiet! Guillaume (Jan 24)
- Does snort only work in real time mode? Charles (Jan 24)
- Re: Does snort only work in real time mode? Erek Adams (Jan 24)
- Re: Does snort only work in real time mode? Charles (Jan 24)
- Re: Does snort only work in real time mode? Ryan Russell (Jan 24)
- Message not available
- Re: generating snort rules automatically Matt Kettler (Jan 24)