IDS Gone Bad

Presented at ShmooCon I (2005), Feb. 4, 2005, 5 p.m. (60 minutes)

We've all done Snort. Woopeee. Snort with perl plugins. Its been done. But what happens when the rules nazi gets his title stripped with only the shortest of "we will miss you" thank-you notes? He starts working on the darker side of Snort. * Think Snort * Think Snort with Perl * Think Snort modifiable at runtime, thanks to perl * Think Snort that gets new rules via packets, thanks to perl * Think Snort that gets new functionality via packets, thanks to perl * Think Snort that gets ATTACK functionality, via packets, thanks to perl * Think Snort as a worm Ok, So maybe thats a bit too much thinking. Snort, its not just for protecting your cablemodem anymore.

Presenters:

• Cazz - The Shmoo Group
  Brian Caswell is a member of the Snort core team, where he is the primary author for the world's most widely used intrusion detection rulesets. He has been a part of two books, the Snort books from Syngress. He is a member of the Shmoo group, an international not-for-profit, non-milindustrial independent private think tank. Currently, Brian is a Research Engineer within the Vulnerability Research Team for Sourcefire. Not only can Brian do IDS, he is a Pokemon Master Trainer. In his free time, Brian likes to teach his young son Patrick to write perl, reverse engineer network protocols, poke people with rapiers, and autocross at the local SCCA events.

Links:

• https://web.archive.org/web/20060116151828/http://www.shmoocon.org/2005/program.html#cazz

Similar Presentations:

• DEF CON 9 (2001) / Using Open BSD, snort, Linux, and a few other tricks to set up a transparent, ACTIVE Ids.
• ShmooCon I (2005) / Building Target-based IDS: Snort on the Move
• DEF CON 16 (2008) / Snort Plug-in Development: Teaching an Old Pig New Tricks