[Snort-devel] Proposed Fuzzy Match Feature

Thoplaop T.M.Hesketh-roberts at ...1826...
Thu Apr 24 06:28:03 EDT 2003


Good afternoon,

I'm considering contributing a way to
generate alerts by effectively parsing
snort rules in a "fuzzy" manner.

In other words, an alert would be generated
if, say, all but one of the rule-matching
conditions are met - thus helping to alert
upon variations of attacks already in
existance.

What do the rest of you think of this?
Has this project got the potential to be
useful?  Do you know whether it's been
tried before at all?  (If so, please do
let me know if you know where.)

The obvious down side would include the
number of false positives, however, just
how common are "new attacks that are
variations of old ones"?

This is currently being undertaken as a
Software Engineering Masters project, but
the eventual direction in which it is
heading is yet to be set in stone.

Many thanks in advance for any feedback,

Thop

NB: apologies if you'd seen this mail on
    snort-users list previously - I believe
    it is much more appropriate here.






More information about the Snort-devel mailing list