[Snort-sigs] Signatures

Chris Green cmg at ...435...
Thu Mar 21 14:07:31 EST 2002

"Nelson, James (CC-MIS Plans and Prog)" writes:

> This is just an observation and it is for the entire group. I said something
> earlier and nobody gave me any feedback.  
> Why not build rules activate logging but only alert once on a given session?

Thats a TODO.

> The other thought I have is why not build rules that look for certain
> patterns in the RESPONSE that indicate the attempt was successful or that it
> failed? 

There are a few. Check out attack-responses.rules.  The main trouble
is that most responses are VERY exploit specific and we try and write
rules that aren't exploit specific.

> What good are alerts without being able to establish some priority
> to them based on the system's reaction?

We're working on it.  It's a very hard problem though and requires
knowing what the sucessful exploit looks like.  The more popular the
tool , the easier it can be to ID it but 

Back when Code red was the only IIS worm in town, snort got a neat
feature called "tagging".  This allowed me to see the multitude of
response codes that servers would reply to.  Just in my head and
looking over the binary caps I built up some heuristics on what 
successful exploit was and a very shaky foundation on what a
non-vulnerable machine was.

Well, as it turned out, some of those heuristics were completely off
when nimda came aroud ( and woke me up on a vacation day ) and I built
a better set of heuristics in my head.  The trouble is theres SO many
possibilities that false positives and false negatives to detect
responses was worse than the first set...

We're working on fleshing out attack -> / then catching the resposne
on that stream so you can classify popular attacks quickly but
catching the vulnerable app and then having knowledge of the network
is a better way to do it IMO.

Chris Green <cmg at ...435...>
This is my signature. There are many like it but this one is mine.

More information about the Snort-sigs mailing list