Hosting Provided By

[Snort-devel] Proposed Fuzzy Match Feature

From: Thoplaop <T.M.Hesketh-roberts(at)Bradford.ac.uk>
Date: Thu Apr 24 2003 - 09:26:54 EDT

I'm considering contributing a way to
generate alerts by effectively parsing
snort rules in a "fuzzy" manner.

In other words, an alert would be generated if, say, all but one of the rule-matching conditions are met - thus helping to alert upon variations of attacks already in
existance.

What do the rest of you think of this?
Has this project got the potential to be useful? Do you know whether it's been
tried before at all? (If so, please do
let me know if you know where.)

The obvious down side would include the
number of false positives, however, just how common are "new attacks that are
variations of old ones"?

This is currently being undertaken as a
Software Engineering Masters project, but the eventual direction in which it is
heading is yet to be set in stone.

Many thanks in advance for any feedback,

Thop

Do you need help?

NB: apologies if you'd seen this mail on

snort-users list previously - I believe it is much more appropriate here.

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Thu Apr 24 09:34:45 2003

This message: [ Message body ]
Next message: Chris Green: "Re: [Snort-devel] Bug in ByteTest() function / byte_test keyword on little endian systems?"
Previous message: abhishek nigam: "[Snort-devel] Problem in developing a preprocessor"
Next in thread: Chris Green: "Re: [Snort-devel] Proposed Fuzzy Match Feature"
Reply: Chris Green: "Re: [Snort-devel] Proposed Fuzzy Match Feature"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:05 EDT