Project: Discovery of rule misconfigurations in intrusion detection and response devices
The Snort and Bleeding Edge Threats rules were preconfigured. Although Snort supports various rule options, only payload and header-related information are important for attack detection. Thus, we ignored general and postdetection rule options, e.g., session, msg, reference, etc. Since the Snort rule configuration allows multiple definition of the same rule options, IntraRuleAudit() algorithm was reconfigured to analyze rules for contradicting conditions only.The following are the results for Snort IDS rules sets:
| attack-responses.rules |
| chat.rules |
| ddos.rules |
| policy.rules |
| ftp.rules |
| sql.rules |
| web-cgi.rules |
| voip.rules |
| smtp.rules |
| web-misc.rules |
| web-client.rules |
| icmp-info.rules |
| bleeding-attack_response.rules |
| bleeding-exploit.rules |
| bleeding-web.rules |