Sorry to hijack this thread and throw it off in a slightly different
direction, but I had some comments to slide in...
On Mar 13, 2009, at 11:13 AM, Zow Terry Brugger wrote:
Someone mentioned Bro specifically. I don't think Bro provides
anything new and interesting in the signature detection realm.
I would argue that it does to some degree at least. We started
running a signature recently that I wrote to detect the presence of
SSN-like data in our network traffic. Where Bro's signature
capabilities shine in this circumstance is that calls can be made with
the content of the match out to Bro policy script code. My policy
script then validates the potential matches in a list of known OSU-
related SSNs which removes huge numbers of false positives without
having to resort to post processing.
It reflects what I consider as the general "win" of Bro which is the
domain specific language that it uses. I can't be very expressive
with signatures, but with a full programming language I can be very
specific with the behavior that I want to see on the network.
The real interesting things I've
seen come out of Bro only used Bro for basic data collection, which an
analyst was then able to find interesting patterns from. This goes
strongly to Staniford's point about Paxson diving into the live data.
There is a slow progression in the Bro community toward collecting
data over a period of time to indicate some activity in progress that
isn't obvious from a single packet or session. We've been using a
policy for over a year now that fairly quickly detects when we have
someone abusing a compromised webmail account. We look into SMTP
message contents to see if the mail was sent from a webmail interface
based on the "X-Agent" or "User-Agent" mail headers. If it is, we
keep track of how many recipients the sender has sent email to with
the webmail interface and it points out people that are sending too
much webmail in too short of a period of time.
Ultimately, its creating a summary of activity based on a number of
sessions over a relatively long period of time.
Is there anything else available that would allow me to be as
expressive as that? (this isn't a snarky question, I'm honestly curious)
.Seth
---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
