[Snort-users] generating snort rules automatically
quanxing at ...4668...
Thu Jan 24 11:41:02 EST 2002
Thank you very much!
On Thu, 24 Jan 2002, Ryan Russell wrote:
> On Thu, 24 Jan 2002, Charles wrote:
> > Generating rules from Tcpdump or other traffic trace data based on some
> > analysis results. Are all the current snort rules written by humans?
> I believe every one of them was written by a human, albeit some with a
> cut-and-paste, I'm sure. Even with a TCPDump file to help, someone still
> has to decide which parts are the problem. For example, which portion of
> the TCP data to use, which TCP flags go with it, whether the port numbers
> are important, etc..Snort is capable of checking for pretty much every
> piece of a header, so if you simply converted a whole packet to a Snort
> rule, you'd probabaly never pick up another match, because you'd be
> looking for identical source and destination ports, sequence numbers,
> etc.. which change each time for most rules. In a handful of other cases,
> it's the sequence number that is important, because of the way the exploit
> is writen.
More information about the Snort-users