Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: generating snort rules automatically

From: Charles <quanxing () Eng Auburn EDU>
Date: Thu, 24 Jan 2002 13:40:37 -0600 (CST)
Thank you very much!

charles

On Thu, 24 Jan 2002, Ryan Russell wrote:


On Thu, 24 Jan 2002, Charles wrote:


Generating rules from Tcpdump or other traffic trace data based on some
analysis results. Are all the current snort rules written by humans?


I believe every one of them was written by a human, albeit some with a
cut-and-paste, I'm sure.  Even with a TCPDump file to help, someone still
has to decide which parts are the problem.  For example, which portion of
the TCP data to use, which TCP flags go with it, whether the port numbers
are important, etc..Snort is capable of checking for pretty much every
piece of a header, so if you simply converted a whole packet to a Snort
rule, you'd probabaly never pick up another match, because you'd be
looking for identical source and destination ports, sequence numbers,
etc.. which change each time for most rules.  In a handful of other cases,
it's the sequence number that is important, because of the way the exploit
is writen.

                                      Ryan




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: