IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort signature packet generator

From: ADT <synfinatic () gmail com>
Date: Tue, 9 Nov 2004 10:59:37 -0800
IMHO, using a scanner such as Nessus would only train a neural network
how to detect a scanner.  Scanners in general, try not to send actual
exploits because it'll break the target.  Rather they non-intrusive
techniques such as banner grabbing to determine if a target is
vulnerable.

As earlier mentioned, Snot/Stick don't do TCP 3way handshakes and
hence don't generate legit traffic which would be useful to train a
neural net either.  Your best bet is to either get a  bunch of
exploits and run them (easy to find, but dangerous if you don't know
what you're doing) or find pcap's of actual exploits and use something
like tcpreplay to train (much harder to find, but safer).

-Aaron
-- 
http://synfin.net


On Mon, 8 Nov 2004 10:30:47 -0500, adam.w.hogan <adam.w.hogan () delphi com> wrote:


There is a program to do just that: Snot [0].  But this strikes me as a very inaccurate way to train a neural 
network.  You would be using purely crafted packets which may or may not appear as an actual attack would.  Snot is 
made to fill up snort logs, and the packets it creates are done purely to trip rules, not appear 100% valid.  Instead 
I would download exploits and scanners like Nessus and use actual attacks to train your neural net.


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: