Fuzzy Matching in Snort

[Thoplaop <T.M.Hesketh-roberts () Bradford ac uk>]

Hey there,

I'm considering introducing a way to
generate alerts by effectively parsing
snort rules in a "fuzzy" manner.

In other words, an alert would be generated
if, say, all but one of the rule-matching
conditions are met - thus helping to alert
upon variations of attacks already in
existance.

What do the rest of you think of this?
Has this project got the potential to be
 useful?
Has it been tried before at all?  (If so,
 please let me know where, if possible.)

The obvious down side would include the
number of false positives, however, just
how common are "new attacks that are
variations of old ones"?

This is currently being undertaken as a
Software Engineering Masters project, but
the eventual direction in which it is
heading is yet to be set in stone.

Many thanks in advance for any feedback,

Thop


-- 
Spare time?  Make good use of it...
http://thop.co.uk/go - just click to donate free to good causes
(sponsered by adverts)

Michael Eisner, MD for Disney = $9,783/hour
   Haitian worker for Disney  = 28 cents/hour




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users