IDS mailing list archives
Re: Intrusion Detection Evaluation Datasets
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 19 Mar 2009 14:45:39 -0400
Hi Damiano, I didn't say it was easy, I said it was possible. :) The reason we have rules in the first place it so that you don't have to write raw C code to detect things and that's a Good Thing as far as most people are concerned. The point I was making is that Snort *can* detect anything you want it to, we've built flexibility and extensibility into it from day one. It may be a little ugly, but the capability is there. That said, I prefer that people use the rule language where possible because it's harder to get yourself in trouble with. Getting formalized rules primitives in place to do some of these things take a while though and rule creation can be a near real-time necessity. That's why things like .so rules exist so users (and Sourcefire) can provide coverage beyond the capabilities of the detection engine and the rules language. Marty On Thu, Mar 19, 2009 at 5:06 AM, Damiano Bolzoni <damiano.bolzoni () utwente nl> wrote:
On 19/03/2009 1.49, Martin Roesch wrote:You guys do know that anything you can't do in the Snort rules language natively can be done using .so rules, right? Write your rules in C, store data statefully within Snort, manipulate things like flowbits that other rules can reference, pretty much anything you care to do in C. The only thing you can't do with it is generate pseudopackets for other subsystems to analyze.Marty, .so rules offer indeed a high degree of personalization. However, you need to know what you're doing...it's C code, and we all know what that means. I would like to see a "neater" way to do that, with something more similar to "normal" Snort rules. I know there is a price to pay for this: I won't be able to push the analysis so in depth as with a .so rule. But I believe a user would prefer the rule to the C code...perhaps I'm wrong :) -- Damiano Bolzoni damiano.bolzoni () utwente nl Homepage http://dies.ewi.utwente.nl/~bolzonid/ PGP public key http://dies.ewi.utwente.nl/~bolzonid/public_key.asc Skype ID: damiano.bolzoni () utwente nl Distributed and Embedded Security Group - University of Twente P.O. Box 217 7500AE Enschede, The Netherlands Phone +31 53 4892477 Mobile +31 629 008724 ZILVERLING building, room 3013
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org
Current thread:
- Re: Intrusion Detection Evaluation Datasets, (continued)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Joel Esler (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Joel Esler (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Paul Schmehl (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Martin Roesch (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Jim Sansing (Ritasa LLC) (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Martin Roesch (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Stefano Zanero (Mar 19)
- Re: Intrusion Detection Evaluation Datasets Ravi Chunduru (Mar 20)
- Re: Intrusion Detection Evaluation Datasets Damiano Bolzoni (Mar 18)
- Re: Intrusion Detection Evaluation Datasets Seth Hall (Mar 16)
- Re: Intrusion Detection Evaluation Datasets Raffael Marty (Mar 13)
- Exploit-based signature is dead, or not? tanyoo10 (Mar 16)
- Re: Exploit-based signature is dead, or not? Sergio 'shadown' Alvarez (Mar 16)