IDS: RE: Snort signature packet generator

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

IDS mailing list archives

RE: Snort signature packet generator

From: "adam.w.hogan" <adam.w.hogan () delphi com>
Date: Mon, 8 Nov 2004 10:30:47 -0500


There is a program to do just that: Snot [0].  But this strikes me as a very inaccurate way to train a neural network.  
You would be using purely crafted packets which may or may not appear as an actual attack would.  Snot is made to fill 
up snort logs, and the packets it creates are done purely to trip rules, not appear 100% valid.  Instead I would 
download exploits and scanners like Nessus and use actual attacks to train your neural net.

-Adam.

[0] http://www.stolenshoes.net/sniph/index.html

-----Original Message-----
From: Graeme Connell [mailto:gconnell () middlebury edu]
Sent: Friday, November 05, 2004 12:29 PM
To: focus-ids () securityfocus com
Subject: Snort signature packet generator


I'm attempting to train a neural network using snort, and I'm having
trouble getting a good number of "bad" packets, IE: those that snort
considers malicious.  Since a snort signature is really just a
definition of a subset of all possible packets, it seems like it should
be possible to create a packet that snort considers bad by filling in
packet fields based on a snort signature, then filling the rest of the
packet with random garbage.  Does anyone know if this type of program
has already been created, and if so, where could I find it?  Thanks.

                --Graeme Connell

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------


****************************************************************************************

Note: The information contained in this message may be privileged and confidential and thus protected from disclosure. 
If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this 
message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. If you have received this communication in error, please notify us immediately by 
replying to the message and deleting it from your computer. Thank you.

****************************************************************************************

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

By Date By Thread

Current thread:

RE: Snort signature packet generator, (continued)
- RE: Snort signature packet generator Jeff Dell (Nov 09)
- Re: Snort signature packet generator Dirk Geschke (Nov 09)
  - RE: Snort signature packet generator Leandro Reox (Nov 12)
- Re: Snort signature packet generator Martin Roesch (Nov 09)
- Re: Snort signature packet generator Stefano Zanero (Nov 14)
- RE: Snort signature packet generator adam.w.hogan (Nov 09)
  - Re: Snort signature packet generator ADT (Nov 12)
- Re: Snort signature packet generator Derek Armstrong (Nov 09)
  - RE: Snort signature packet generator Simon and Lori Chang (Nov 12)