Focus on IDS
Re: Intrusion Detection Evaluation Datasets Mar 19 2009 08:33PM
Joel Esler (eslerj gmail com) (1 replies)
On Mar 19, 2009, at 4:30 PM, Paul Schmehl wrote:

> --On Thursday, March 19, 2009 14:33:29 -0400 Joel Esler <eslerj (at) gmail (dot) com [email concealed]
> > wrote:
>
>> Would this be an appropriate use for byte_test or byte_jump?
>>
>
> That's what I was referring to when I mentioned applications. The
> problem with http traffic is that it's much more freeform and
> doesn't lend itself to byte_test and byte_jump type tests.

I'd probably use a combination of isdataat and pcre for this. As
Marty said, 99.9999% of things can be found with plaintext Snort
rules. Anything else, you can use an .so rule for.

--
Joel Esler T: 302-223-5974 (-) Gtalk: jesler (at) sourcefire (dot) com [email concealed]
[m]

[ reply ]
Re: Intrusion Detection Evaluation Datasets Mar 20 2009 03:58AM
Ravi Chunduru (ravi is chunduru gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus