'[arachNIDS] gzip, priority sorting'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       arachnids
Subject:    [arachNIDS] gzip, priority sorting
From:       Max Vision <vision () whitehats ! com>
Date:       2001-04-20 12:43:02
[Download RAW message or body]

There are some changes to the snort signatures export functionality of 
arachNIDS.  I will comment in more detail when I'm done with the last round 
of updates, but there are two notable features I wanted to mention right away:

o priority sorting
   Snort 1.x alerts on the first signature that matches an attack, using
   the order that the signatures were listed in the configuration file.
   I have added a new classification system that allows us to sort these
   in a reasonable order, so that more specific rules will have priority
   over more general rules.  Right now the levels of granularity are:
    10-exploit-content (specific to one exploit, uses packet contents)
    20-exploit-nocontent (specific to one exploit, no content)
    30-vulnerability-content (specific to one vulnerability, content)
    40-vulnerability-nocontent (specific to one vulnerability, no content)
    50-other
   This allows us to catch the very specific attacks instead of having the
   more general vulnerability rules trigger when a certain exploit is sent.
   This will also provide more information by process of elimination.  For
   example, if we have a signature for a specific POP3 overflow, and a
   signature that detects long strings of data in the PASS command in POP3,
   then we know that if the general rule triggers that it is an undocumented
   exploit - or else the specific rule would have triggered.  See the
   current http://whitehats.com/ids/vision.conf.gz for examples.

o gzip download
   vision.conf and vision.rules export files will only be available in
   compressed form.  Each config file is over 60k, and vision.rules was
   downloaded 21772 times so far this month. (fyi vision.conf trails with
   3606 downloads so far...)  This adds up to a lot of bandwidth for
   just a little configuration file.  Using gzip will save you a few
   seconds, and it will save me about a GIG of transfer per month.
   http://whitehats.com/ids/vision.conf.gz
   http://whitehats.com/ids/vision.rules.gz

This is not the big update, there are more goodies coming shortly.

Max

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic