Translating Snort rules to STATL scenarios
作者: Steven T. Eckmann
DOI:
关键词:
摘要: The number of intrusion detection systems (IDSs) is large and growing. Most IDSs are signature based, which means that they include signatures for some collection known attacks, monitor an event stream looking instances any in their collection. There enormous duplication effort within the IDS community, as each newly discovered attack requires independent specification IDS. Sharing collections has obvious advantages community a whole, mainly by (1) allowing better allocation scarce resources (developers researchers) (2) supporting peer review collections, can lead to detectors. Snort with published signatures. This paper considers automated translation rules STATL scenarios. Automatically translating scenarios practical effect use Snort’s NetSTAT sensors, essentially no new work developed. A snort2statl translator been developed implements described scheme. signaturespecifying elements rule language easy translate STATL, but developing scheme its implementation, then complete set standard into scenarios, raised few issues discussed.
raid-symposium.org 参考文章(6)
Giovanni Vigna, Richard A. Kemmerer, NetSTAT: a network-based intrusion detection system Journal of Computer Security. ,vol. 7, pp. 37- 71 ,(1999) , 10.3233/JCS-1999-7103
Peter G. Neumann, Phillip A. Porras, Experience with EMERALD to Date ID'99 Proceedings of the 1st conference on Workshop on Intrusion Detection and Network Monitoring - Volume 1. pp. 73- 80 ,(1999)
Marcus J. Ranum, Andrew Lambeth, Michael T. Stolarchuk, Kent Landfield, Mark Sienkiewicz, Eric Wall, Implementing a Generalized Tool for Network Monitoring usenix large installation systems administration conference. pp. 1- 8 ,(1997)
Steven T. Eckmann, Giovanni Vigna, Richard A. Kemmerer, STATL: an attack language for state-based intrusion detection Journal of Computer Security. ,vol. 10, pp. 71- 103 ,(2002) , 10.3233/JCS-2002-101-204
Martin Roesch, Snort - Lightweight Intrusion Detection for Networks usenix large installation systems administration conference. pp. 229- 238 ,(1999)
G. Vigna, S.T. Eckmann, R.A. Kemmerer, The STAT tool suite darpa information survivability conference and exposition. ,vol. 2, pp. 46- 55 ,(2000) , 10.1109/DISCEX.2000.821508