[Discussion] Auto-Sig Creation

Sun Mar 1 15:24:53 UTC 2009

> Kevin Ross wrote:
> 
> Perhaps the most ambitious of them all. If an attack is seen through
> various methods, say a new worm. If it is unknown by the system and
> confirmed by an analyst a signature can be created by the sensor,
> perhaps with help from the analyst specifiying a few options like what
> to match upon and distubuted to other systems around the world that
> choose to accept such updates. Perhaps submitted and checked first by
> some central body to avoid someone submitting fake sigs to the
> distributed system, then it can be automatically downloaded by sensors
> which allow such updates. During a new fast spreading worm this could
> mean sensors can be updated with this information quickly with little
> intervention from the "clients" in the distributed system such as homes
> and businesses.

A few thoughts of mine:

1. We're way into post event analysis, not engine stuff. But still
something to discuss. (Our core charter is to build a new engine, but we
aren't LIMITED to that necessarily, other than by resources)

2. I've never been a huge fan of automated sig creation tools. They are
useful in finding patterns that a human can then do something with, but
the human still has to fully understand the protocol. I have tried using
the auto creation tools on malware CnC channels though which may not be
the fairest test. Most I had to try the tools on were encrypted without
anything in the way of headers, so tough to sig regardless. They may
fare better on a netbios overflow or something, I don't know.

But I like the idea of "if we see something strange lets have a way to
see where else that's happening" in a quick way the average ids admin
could employ...

Matt

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc