I signed up for a course on developing effective intrusion prevention and detection signatures. This is a two day course and today was day 1. I had two reasons for selecting this course. The first was the individuals running the course. Both had presented some excellent research in the past and I was interested in learning more about what they had to say and to meet them. The second reason was these individuals have spent a great number of years creating signatures as part of their job. The experiences they share about that would be valuable. The two individuals are Rohit Dhamankar and Rob King.
The first part of the course I didn’t learn very much. We reviewed the IP packet, its associated fields and the meaning of them. We discussed fragmentation, how it works, why it happens, and how it is used to launch effective attacks. We reviewed how to use mathematical operations such as bitwise AND to isolate parts of a field in a packet that are of interest. We were shown a simple ‘SYN-FLOOD’ attack capture file. All of these concepts had exercises the class did and reviewed.
The afternoon section brought with it mostly regular expressions. We started with the syntax and how it works. There were several exercises the class did which got increasingly more complicated. Rohit and Rob discussed good signature writing. This is where the class started to get interesting for myself. I was keen for them to discuss their experiences with signature writing. They discussed writing signatures to detect the vulnerability not the exploit, how to avoid false positive signature matches and the complexities around this such as regex ‘sliding match’. All of these had multiple examples and exercises the class went through. These exercises and the discussion around them were extremely useful for myself.
It was very obvious Rob and Rohit really enjoy their work. Rob stated several times how he ‘loved his job’ and you can tell just by watching and listening to him. There is an obvious excitement in his body language and voice when he discusses good signature creation. Rohit although not as animated knows his topic and explains concepts and experiences very well. He is a Director of Security Research and can still discuss in very technical detail how fragmentation works. In my books that deserves and gets respect and I am impressed he is able to keep his technical skill up while being in a management position. That speaks well for his company.
