Hi,
In the beginning, I will use some known attacks logs, generated by known
scans, how nmap, fingerprint and analyzing the TCP packet content. The
strings in content are good attack indication.
"wget%20" , "/bin/sh" are common strings used in server pages attacks.
Common signatures can be found in snort rules. We can build malicious
network packets to use in repository.
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh";
flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347;
reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP";
flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|";
reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect;
sid:1326; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow";
flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00
00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572;
classtype:shellcode-detect; sid:1327; rev:7;)
It's some examples found in exploit.rules file.
Currently, I need somebody make a module that converts rules of snort to
real network packets.
=)
Icya
Sanjay Rawat wrote:
Hi Israel:
This is Sanjay. Its nice to hear about your project, based on CBR. i
will be happy to participate in discussion on points/problems, which
you may face during the project. to my understanding, the main issue
in CBR is to represent the known cases (in your case, attacks) in an
effective manner. I find good theoretical papers, but less real-life
implementations of CBR. Most of the applications are from medical
side. There are couple of papers, suggesting the use of CBR in IDS (i
dont remember the references at present, probably some googling will
do that). which attack repository, are you going to use- DARPA?
best wishes and regards
Sanjay
At 08:13 PM 8/24/2005, Israel wrote:
Hello,
I'm developing a IDS project in my computer science graduation.
It will be use Case-Based Reasoning and handle a repository with the
malicious network log to generate responses.
The libpcap is used to capture a network trafic.
Have you suggestions to implementation?
The software is under GPL license and I would like to invite
interested peoples to program.
Thanx
Israel Rocha
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks
from CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
------------------------------------------------------------------------
Sanjay Rawat
Senior Software Engineer
INTOTO Software (India) Private Limited
Uma Plaza, Above HSBC Bank, Nagarjuna Hills
PunjaGutta,Hyderabad 500082 | India
Office: + 91 40 23358927/28 Extn 422
Website : www.intoto.com
Homepage: http://sanjay-rawat.tripod.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
