|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [snort] A way to improve the signatures.
From: Stuart Staniford-Chen (stuart
SiliconDefense.com)Date: Tue Mar 21 2000 - 07:45:33 CST
- Next message: Jerry Shenk: "RE: [snort] snort won't daemonize on HP 10.20"
- Previous message: Fyodor: "Re: [snort] snort won't daemonize on HP 10.20"
- In reply to: Max Vision: "Re: [snort] A way to improve the signatures."
- Reply: Stuart Staniford-Chen: "Re: [snort] A way to improve the signatures."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Max Vision wrote:
> > Then the signature owners could gather statistics on what really happens
> > in the field with each signature. After a few weeks or months, we'd be
> > in a position to say for each signature: "This one gets 100 false alarms
> > for every true alert, let's just throw it away, or improve it somehow."
> > or "This one has been a real attack every time."
> >
> Not a bad idea. However if the current amount of feedback we get is any
> indicator, then these statistics are going to be pretty minimal...
How much feedback do you want? I don't mind telling you every time I do
an analysis triggered by one of your sigs unless the record is too much
of a pain to sanitize.
Here's a false alarm on IDS 227 ("///"). I think the user just
mistyped.
[**] IDS227 - Web-CGI-Scriptalias [**]
03/20-11:05:27.906975 X:51728 -> Y:80
TCP TTL:50 TOS:0x0 ID:51256 DF
*****PA* Seq: 0x38549BFD Ack: 0x4EB42B0B Win: 0x2238
47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A GET / HTTP/1.0..
52 65 66 65 72 65 72 3A 20 66 69 6C 65 3A 2F 2F Referer: file://
2F 43 7C <munch> 2E 48 54 4D /C|/XXXXXXXX.HTM
0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F ..User-Agent: Mo
7A 69 6C 6C 61 2F 34 2E 30 34 20 5B 65 6E 5D 20 zilla/4.04 [en]
28 57 69 6E 39 35 3B 20 49 29 0D 0A 41 63 63 65 (Win95; I)..Acce
70 74 3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 pt: image/gif, i
6D 61 67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 mage/x-xbitmap,
69 6D 61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 image/jpeg, imag
65 2F 70 6A 70 65 67 2C 20 69 6D 61 67 65 2F 70 e/pjpeg, image/p
6E 67 2C 20 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D ng, */*..Accept-
4C 61 6E 67 75 61 67 65 3A 20 65 6E 0D 0A 41 63 Language: en..Ac
63 65 70 74 2D 43 68 61 72 73 65 74 3A 20 69 73 cept-Charset: is
6F 2D 38 38 35 39 2D 31 2C 2A 2C 75 74 66 2D 38 o-8859-1,*,utf-8
<delete>
Stuart.
--
Stuart Staniford-Chen --- President --- Silicon Defense
stuartsilicondefense.com
(707) 822-4588 (707) 826-7571 (FAX)
- Next message: Jerry Shenk: "RE: [snort] snort won't daemonize on HP 10.20"
- Previous message: Fyodor: "Re: [snort] snort won't daemonize on HP 10.20"
- In reply to: Max Vision: "Re: [snort] A way to improve the signatures."
- Reply: Stuart Staniford-Chen: "Re: [snort] A way to improve the signatures."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]