An automatic scheme to construct Snort rules from honeypots data
A scheme to construct signatures automatically for Snort from the data captured by honeypots is presented.With this scheme intrusion detection systems can be quickly updated to detect new intrusions soon when happen. The idea is based on the observation that any traffic to and from honeypots represents abnormal activities, so data patterns extracted from these packets can be used by misuse detection system to identify new attacks. The algorithm of constructing rules is discussed. Experiment illustrates the effectiveness of the scheme.