OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] Dynamic Rules?
From: Martin Roesch (roeschhiverworld.com)
Date: Thu Mar 23 2000 - 18:00:51 CST


It actually occurred to me that we can perform two step (semi-stateful)
inspection with the techniques I've outlined. I don't want to go into
the gory details right now (since I'm in the terminal room at the SANS
conference), but it should be possible to acivate or deactivate pretty
much any rule in a dynamic fashion. I can think of a few things we can
do with this capability.... (and I'll talk more about it next week!)

     -Marty

dbrez wrote:
>
> On Wed, 22 Mar 2000, Martin Roesch wrote:
>
> >I'm actually planning on implementing something like this pretty soon by
> >adding a flag to the rules data structures to mark them active or
> >inactive. Rules that activate follow-on logging will have a pointer to
> >the inactive RTN/OTN node that they activate, which it will set active
> >when the "key rule" activates. The rules which go active/inactive will
> >have a counter that gets decremented each time they are referenced. I
> >think in this way we can do what you describe in a computationally
> >inexpensive manner. The only tricky thing is setting up a rule option
> >type that will be able to activate the other rules correctly (i.e. the
> >activation function needs to be the last thing that happens before the
> >RuleListEnd or OptListEnd functions get called). I'll describe why if
> >any one's interested.....
>
> I implemented a similar feature in NFR using N-code. Since N-code is a fairly
> general purpose language, I was able to create an interface called
> "SourceWatch." When particular conditions occurred (a signature match etc.),
> I could call the SourceWatch interface with the source IP address to watch.
> The SourceWatch interface has a run-time configurable variable to limit
> the amount of data captured. As Stuart mentioned, you only want to use
> such a mechanism when serious (and reliably detected) event occur.
>
> I would love to see a dependent rule mechanism similar to this implemented
> in Snort. This kind of mechanism goes a long way towards combating the
> data reduction issue that many of us face on our networks. The ability to
> write out pcap dump files and a dynamic source watch mechanism would make
> snort an extremely effective network alarm system. Think of it as a sensor
> driven video surveillance system for your digital assets ;) Currently, no
> other NIDS that I know of provides a truely useful method of doing this. One
> is either hindered by data stored in proprietary formats (NFR) or no real data
> kept at all (ISS etc.).
>
> Dominique Brezinski

-- 
Martin Roesch                      <roeschhiverworld.com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment