Re: Automated IDS Signature Generator?

Hi,

On Tue, 2003-06-17 at 23:34, quakeroats@hushmail.com wrote:
>
>
> IDS Folk,
>
> Is there a utility/function/program that automatically generates an IDS
> signature based on a recording of a monitored exploit attempt? For
> example, say the exploit is brought into an isolated lab environment, and
> we record the whole attack. At the end of the attack, this "thing" spits
> out automated scripts for any number of IDS solutions. Seems like it
> would be something that companies like Snort/Symantec/Dragon/etc. might
> already have, but I've never heard of such a utility.

yup, it's called Honeycomb and was already pointed out by Toby. Sorry for the slow reply, I've been buried in work.

http://www.cl.cam.ac.uk/~cpk25/honeycomb/

Honeycomb is a system that applies pattern matching and protocol analysis techniques to traffic going through honeyd[1]. It is an experimental system that currently is good at detecting invalid traffic characteristics (christmas packets etc) and particularly worms, due to their relatively large size.

Calling such a system useless is quite naive -- potential applications abound. The system has created extrememly good signatures for the common worms in my testing, without any hardcoded knowledge of these worms.

People have been using honeypots for a while now to trap spam by running fake open relays, Honeycomb could be used to look for patterns in spam to dynamically create spam filters, for example. Niels Provos is currently working on that.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Certainly it won't prevent new attacks or spot every single oddity on your network, but that's not the goal. The goal is to create signatures for things that happen repeatedly, and by looking for such traffic on a honeypot you get a damn good chance that you're looking at something malicious.

If you're interested, check out the poster or the slides of the talk on the site above.

[1] http://niels.xtdnet.nl/honeyd/

-- 
________________________________________________________________________
                                                    
http://www.whoop.org


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------