[Snort-users] generating snort rules automatically

Charles quanxing at ...4668...
Thu Jan 24 11:41:02 EST 2002


Thank you very much!

charles

On Thu, 24 Jan 2002, Ryan Russell wrote:

> On Thu, 24 Jan 2002, Charles wrote:
> 
> > Generating rules from Tcpdump or other traffic trace data based on some
> > analysis results. Are all the current snort rules written by humans?
> 
> I believe every one of them was written by a human, albeit some with a
> cut-and-paste, I'm sure.  Even with a TCPDump file to help, someone still
> has to decide which parts are the problem.  For example, which portion of
> the TCP data to use, which TCP flags go with it, whether the port numbers
> are important, etc..Snort is capable of checking for pretty much every
> piece of a header, so if you simply converted a whole packet to a Snort
> rule, you'd probabaly never pick up another match, because you'd be
> looking for identical source and destination ports, sequence numbers,
> etc.. which change each time for most rules.  In a handful of other cases,
> it's the sequence number that is important, because of the way the exploit
> is writen.
> 
> 					Ryan
> 





More information about the Snort-users mailing list