[Snort-devel] Proposed Fuzzy Match Feature
cmg at ...402...
Mon Apr 28 06:03:05 EDT 2003
Thoplaop <T.M.Hesketh-roberts at ...1826...> writes:
> Good afternoon,
> I'm considering contributing a way to generate alerts by effectively
> parsing snort rules in a "fuzzy" manner.
> In other words, an alert would be generated if, say, all but one of
> the rule-matching conditions are met - thus helping to alert upon
> variations of attacks already in existance.
> What do the rest of you think of this? Has this project got the
> potential to be useful? Do you know whether it's been tried before at
> all? (If so, please do let me know if you know where.)
If you want quick research, just do all your permutations with a perl
script and throw it on a real (50+ users) network.
I have a feeling that the dramatic increase false positives will
outweigh any good use since most signatures look for a single
Chris Green <cmg at ...402...>
You now have 14 minutes to reach minimum safe distance.
More information about the Snort-devel