[Snort-users] generating snort rules automatically
mkettler at ...4108...
Thu Jan 24 11:48:19 EST 2002
I believe (although I am not 100% certain) that all of the current snort
rules are human written, with perhaps the exception of some tools to assist
format conversion, assigning SID's, filling in all the extra bits, etc.
That's why they have a separate snort mailing list devoted to signature
In many cases it does not take long to generate a crude signature for a
particular new attack/exploit, and a couple rounds of people tweaking it
generally leads to a pretty good signature.
It might be possible to write such a tool to automatically generate rules,
but I'd venture to guess it would take more development time to get it
working *reliably* than the entire set of current snort sigs took. That
tool would certainly make snort itself look like a trivial piece of code,
even with the various plugins included.
Something more practical might be a tool that took a series of "normal"
tcpdump sessions and "diffed" them against an "attack" session, allowing a
human to pick the parts of interest, but that would be of pretty limited
value. If you've read an announcement for the vulnerability you likely
already know what part of a sequence to be looking at.. ie: "xxx mailserver
buffer overflow in RCPT TO:" is pretty straightforward.
I've written up a couple quick, crude ones based on announcements myself,
and while not pretty, nor the most efficient possible, they aren't very
hard. (and I'm just an amateur)
(large numbers of CC's removed, this was getting a bit long for my tastes)
At 11:50 AM 1/24/2002 -0600, Charles wrote:
>Generating rules from Tcpdump or other traffic trace data based on some
>analysis results. Are all the current snort rules written by humans?
More information about the Snort-users