Automated snort signature generation

Network intrusion systems work on many models, but at their core they rely on algorithms to process data and determine if the network traffic is malicious in nature. Snort is the most widely-used open source network based Intrusion Prevention System / Intrusion Detection System (IPS/IDS) system. It works by comparing network traffic to a list or lists of rules to determine if and what action should be taken. These rules are referred to as signatures, since they are intended to identify a single pattern of network traffic just like a physical signature identifies a single author. I have developed an algorithm that accepts as input any file or a directory and outputs Snort signatures. This action allows a quick turnaround in creating a rule to stop specific information from traversing the network. By using such a tool, Systems Administrators can better protect their environments through custom rule sets. To verify the algorithm, I generated files of various types containing randomized content and parsed them to generate rules. I then used a Snort installation to process the rules and a packet capture containing the files to determine if the rules operated as intended. Previously, the creation of rules typically was limited to a very small group of experts that focus solely on such tasks. The core of this research is to enable users to easily create a custom Snort installation, in addition to utilizing the default signatures all Snort deployments use. This increases the security of the assets that each site considers valuable and can be used to prevent data breaches that a typical IDS/IPS deployment could not. The algorithm I have developed is a beginning to the process of creating custom rule sets in an automated manner based on the unique content of each user’s environment