Re: Intrusion Detection Evaluation Datasets

[Seth Hall <hall.692 () osu edu>]

On Mar 19, 2009, at 11:15 AM, Ravi Chunduru wrote:

> There should
> be some solution like web application firewalls do - deep packet
> inspection and protocol parsing.


That's exactly how Bro works and I've been occasionally examining  
various open source web application firewalls to see if I could use  
their techniques from an IDS context but I haven't had time yet to  
actually write anything beyond my script that uses a regex to catch  
GET based SQL injections[1].  A couple of extra nifty tricks about Bro  
in the context of HTTP analysis are that you can detect a number of  
protocols, including HTTP on any port (Dynamic Port Detection or  
DPD[2]).  The other is that is that when Bro encounters gzipped body  
contents in a session, it will transparently unzip the body and pass  
along the uncompressed content so that your analysis scripts never  
even need to know about the compression.

1. http://github.com/sethhall/bro_scripts/blob/91a6a16e96ffbc563ec392d545fe688fee7bfee0/http-ext.bro
2. http://bro-ids.org/wiki/index.php/DynamicProtocolDetection

  .Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721