[Snort-devel] Proposed Fuzzy Match Feature

Chris Green cmg at ...402...
Mon Apr 28 06:03:05 EDT 2003


Thoplaop <T.M.Hesketh-roberts at ...1826...> writes:

> Good afternoon,
>
> I'm considering contributing a way to generate alerts by effectively
> parsing snort rules in a "fuzzy" manner.
>
> In other words, an alert would be generated if, say, all but one of
> the rule-matching conditions are met - thus helping to alert upon
> variations of attacks already in existance.
>
> What do the rest of you think of this?  Has this project got the
> potential to be useful?  Do you know whether it's been tried before at
> all?  (If so, please do let me know if you know where.)


If you want quick research, just do all your permutations with a perl
script and throw it on a real (50+ users) network.

I have a feeling that the dramatic increase false positives will
outweigh any good use since most signatures look for a single
unique characteristic.
-- 
Chris Green <cmg at ...402...>
You now have 14 minutes to reach minimum safe distance.




More information about the Snort-devel mailing list