Re: snort signature analysis tools

[Chris Green <cmgreen () uab edu>]

On 1/14/05 9:58 AM, "Hazel, Scott A." <Scott.Hazel () unisys com> wrote:

> When you talk about intersecting rules, what data would you like to see
> intersecting? I speculate the critical information would be port/protocol
> info as well as payload string matches.  A simple example is to find all
> rules that monitor port 80 or look for "package.exe" in the packet data.

Back when I worked on snort, I *really* wished I had something like this.
It's a bit more complicated grep but it is about finding relations.

For example, you need to know that

  alert ip any any -> any any () will match all the rules that alert tcp any
any -> any any () will do.. Same goes for ports, and subsets of IPs.

You'd also need to do the simple substring searches ("cmd.exe" will be set
off by "weathercmd.exe").

You'd also like to know that uricontent:" " and content:"%20"
byte_test:"xxx=42" (forgot what the real syntax was) might overlap.

It's non-trivial to write such an application but I think it would make a
really good project for a Comp Sci person since being able to group the
rules into overlaps would be right on the boundary of IDS performance
grouping without the need for expensive testing hardware.

Cheers,
Chris


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------