Snort mailing list archives
Re: generating snort rules automatically
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 24 Jan 2002 13:43:51 -0500
I believe (although I am not 100% certain) that all of the current snort rules are human written, with perhaps the exception of some tools to assist format conversion, assigning SID's, filling in all the extra bits, etc.
That's why they have a separate snort mailing list devoted to signature development.
In many cases it does not take long to generate a crude signature for a particular new attack/exploit, and a couple rounds of people tweaking it generally leads to a pretty good signature.
It might be possible to write such a tool to automatically generate rules, but I'd venture to guess it would take more development time to get it working *reliably* than the entire set of current snort sigs took. That tool would certainly make snort itself look like a trivial piece of code, even with the various plugins included.
Something more practical might be a tool that took a series of "normal" tcpdump sessions and "diffed" them against an "attack" session, allowing a human to pick the parts of interest, but that would be of pretty limited value. If you've read an announcement for the vulnerability you likely already know what part of a sequence to be looking at.. ie: "xxx mailserver buffer overflow in RCPT TO:" is pretty straightforward.
I've written up a couple quick, crude ones based on announcements myself, and while not pretty, nor the most efficient possible, they aren't very hard. (and I'm just an amateur)
(large numbers of CC's removed, this was getting a bit long for my tastes) At 11:50 AM 1/24/2002 -0600, Charles wrote:
Generating rules from Tcpdump or other traffic trace data based on some analysis results. Are all the current snort rules written by humans?
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Snort is too quiet!, (continued)
- Re: Snort is too quiet! Guillaume (Jan 24)
- generating snort rules automatically Charles (Jan 24)
- Re: generating snort rules automatically Ryan Russell (Jan 24)
- Re: generating snort rules automatically Charles (Jan 24)
- Re: generating snort rules automatically Ryan Russell (Jan 24)
- Re: generating snort rules automatically Charles (Jan 24)
- Re: Snort is too quiet! Guillaume (Jan 24)
- Does snort only work in real time mode? Charles (Jan 24)
- Re: Does snort only work in real time mode? Erek Adams (Jan 24)
- Re: Does snort only work in real time mode? Charles (Jan 24)
- Re: Does snort only work in real time mode? Ryan Russell (Jan 24)
- Message not available
- Re: generating snort rules automatically Matt Kettler (Jan 24)