[Snort-devel] Proposed Fuzzy Match Feature

Chris Green cmg at ...402...
Mon Apr 28 06:03:05 EDT 2003

Thoplaop <T.M.Hesketh-roberts at ...1826...> writes:

> Good afternoon,
> I'm considering contributing a way to generate alerts by effectively
> parsing snort rules in a "fuzzy" manner.
> In other words, an alert would be generated if, say, all but one of
> the rule-matching conditions are met - thus helping to alert upon
> variations of attacks already in existance.
> What do the rest of you think of this?  Has this project got the
> potential to be useful?  Do you know whether it's been tried before at
> all?  (If so, please do let me know if you know where.)

If you want quick research, just do all your permutations with a perl
script and throw it on a real (50+ users) network.

I have a feeling that the dramatic increase false positives will
outweigh any good use since most signatures look for a single
unique characteristic.
Chris Green <cmg at ...402...>
You now have 14 minutes to reach minimum safe distance.

More information about the Snort-devel mailing list