Monday, December 21, 2009

Rule2Alert Project Release

This is an idea I had a while ago and the Rule2Alert project implemented it (awesome work Josh)

Step1. Take a snort rule like this:
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Snort alert"; flow:to_server,established; content:"|56 24 5a 63|"; content:"hey"; distance:5; within:12; sid:2000000; rev:1;)

Step2. Create a pcap (packet capture file) or network traffic to trigger this rule.
(Mind you certain things like pcre are incredibly challenging to implement)

Why is this useful you say?
I can see many uses -

1) You can test your rules to make sure they work

2) You can determine if overlap exists between one or more different rule (therefore, consider disabling one, or merging the rule into one). This was a goal of one of the public community/EmergingThreats/Sourcefire project that I think has dropped off the radar since it was initially started.

3) You can also test other non-snort Intrusion Detection Engines for known signatures to determine how much overlap exists.

4) An attacker could also use this tool to do some sneaky things. I won't go into much detail here, but leave a comment if you think of anything.

More on the project from "New Project - Rule2Alert" at or get the source code from

No comments:

Post a Comment