[Snort-users] generating snort rules automatically

Matt Kettler mkettler at ...4108...
Thu Jan 24 11:48:19 EST 2002


I believe (although I am not 100% certain) that all of the current snort 
rules are human written, with perhaps the exception of some tools to assist 
format conversion, assigning SID's, filling in all the extra bits, etc.

That's why they have a separate snort mailing list devoted to signature 
development.

In many cases it does not take long to generate a crude signature for a 
particular new attack/exploit, and a couple rounds of people tweaking it 
generally leads to a pretty good signature.

It might be possible to write such a tool to automatically generate rules, 
but I'd venture to guess it would take more development time to get it 
working *reliably* than the entire set of current snort sigs took. That 
tool would certainly make snort itself look like a trivial piece of code, 
even with the various plugins included.

Something more practical might be a tool that took a series of "normal" 
tcpdump sessions and "diffed" them against an "attack" session, allowing a 
human to pick the parts of interest, but that would be of pretty limited 
value. If you've read an announcement for the vulnerability you likely 
already know what part of a sequence to be looking at.. ie: "xxx mailserver 
buffer overflow in RCPT TO:" is pretty straightforward.

I've written up a couple quick, crude ones based on announcements myself, 
and while not pretty, nor the most efficient possible, they aren't very 
hard. (and I'm just an amateur)


(large numbers of CC's removed, this was getting a bit long for my tastes)

At 11:50 AM 1/24/2002 -0600, Charles wrote:

>Generating rules from Tcpdump or other traffic trace data based on some
>analysis results. Are all the current snort rules written by humans?





More information about the Snort-users mailing list