[Snort-users] Fuzzy Matching in Snort

Thoplaop T.M.Hesketh-roberts at ...8958...
Tue Apr 22 08:51:24 EDT 2003


Hey there,

I'm considering introducing a way to
generate alerts by effectively parsing
snort rules in a "fuzzy" manner.

In other words, an alert would be generated
if, say, all but one of the rule-matching
conditions are met - thus helping to alert
upon variations of attacks already in
existance.

What do the rest of you think of this?
Has this project got the potential to be
 useful?
Has it been tried before at all?  (If so,
 please let me know where, if possible.)

The obvious down side would include the
number of false positives, however, just
how common are "new attacks that are
variations of old ones"?

This is currently being undertaken as a
Software Engineering Masters project, but
the eventual direction in which it is
heading is yet to be set in stone.

Many thanks in advance for any feedback,

Thop


-- 
Spare time?  Make good use of it...
http://thop.co.uk/go - just click to donate free to good causes
(sponsered by adverts)

Michael Eisner, MD for Disney = $9,783/hour
   Haitian worker for Disney  = 28 cents/hour






More information about the Snort-users mailing list