Integrating More Intelligence into Your IDS, Part 2

Integrating More Intelligence into Your IDS, Part 2
Don Parker and Ryan Wegner

Consider how a preprocessor can be used to introduce learning into our intrusion detection system (IDS). One can use the problem defined in Part I of this article, where the IDS is encouraged to adapt to changes in the type of traffic seen and alert administrators if the traffic is anomalous.

Expand all | Post comment

Integrating More Intelligence into Your IDS, Part 2 2008-03-12
innominate

Utilizing the preprocessor system in snort needs to be done on a case-by-case basis. While it's good for the learning experience, something as trivial as hitting on port 80 can be done much simpler (and in many cases, faster) with a rule or set of rules. There's a reason the rule system exists. ;)

You should also take into account the fact that, while writing preprocessors, you're likely to be putting your code under the licensing of snort itself... Meaning, your code may end up having to be open source if you're distributing it. Whereas with rules, you can keep them to yourself without any license violation.

Just some food for though.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/infocus/1899/1082#1082

Integrating More Intelligence into Your IDS, Part 2 2008-06-09
Shankar