IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Automated IDS Signature Generator?

From: Christian Kreibich <christian () whoop org>
Date: 23 Jun 2003 04:16:02 +0100
Hi,

On Tue, 2003-06-17 at 23:34, quakeroats () hushmail com wrote:



IDS Folk,

Is there a utility/function/program that automatically generates an IDS 
signature based on a recording of a monitored exploit attempt? For 
example, say the exploit is brought into an isolated lab environment, and 
we record the whole attack. At the end of the attack, this "thing" spits 
out automated scripts for any number of IDS solutions. Seems like it 
would be something that companies like Snort/Symantec/Dragon/etc. might 
already have, but I've never heard of such a utility.


yup, it's called Honeycomb and was already pointed out by Toby. Sorry
for the slow reply, I've been buried in work.

http://www.cl.cam.ac.uk/~cpk25/honeycomb/

Honeycomb is a system that applies pattern matching and protocol
analysis techniques to traffic going through honeyd[1]. It is an
experimental system that currently is good at detecting invalid traffic
characteristics (christmas packets etc) and particularly worms, due to
their relatively large size.

Calling such a system useless is quite naive -- potential applications
abound. The system has created extrememly good signatures for the common
worms in my testing, without any hardcoded knowledge of these worms. 

People have been using honeypots for a while now to trap spam by running
fake open relays, Honeycomb could be used to look for patterns in spam
to dynamically create spam filters, for example. Niels Provos is
currently working on that.

Certainly it won't prevent new attacks or spot every single oddity on
your network, but that's not the goal. The goal is to create signatures
for things that happen repeatedly, and by looking for such traffic on a
honeypot you get a damn good chance that you're looking at something
malicious.

If you're interested, check out the poster or the slides of the talk on
the site above.

[1] http://niels.xtdnet.nl/honeyd/

-- 
________________________________________________________________________
                                                    http://www.whoop.org


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: