[Snort-users] generating snort rules automatically

Ryan Russell ryan at ...35...
Thu Jan 24 10:46:04 EST 2002

On Thu, 24 Jan 2002, Charles wrote:

> Generating rules from Tcpdump or other traffic trace data based on some
> analysis results. Are all the current snort rules written by humans?

I believe every one of them was written by a human, albeit some with a
cut-and-paste, I'm sure.  Even with a TCPDump file to help, someone still
has to decide which parts are the problem.  For example, which portion of
the TCP data to use, which TCP flags go with it, whether the port numbers
are important, etc..Snort is capable of checking for pretty much every
piece of a header, so if you simply converted a whole packet to a Snort
rule, you'd probabaly never pick up another match, because you'd be
looking for identical source and destination ports, sequence numbers,
etc.. which change each time for most rules.  In a handful of other cases,
it's the sequence number that is important, because of the way the exploit
is writen.


More information about the Snort-users mailing list