Translating Snort rules to STATL scenarios

The number of intrusion detection systems (IDSs) is large and growing. Most IDSs are signature based, which means that they include signatures for some collection of known attacks, and monitor an event stream looking for instances of any signature in their collection. There is an enormous duplication of effort within the IDS community, as each newly discovered attack requires independent specification for each IDS. Sharing of signature collections has obvious advantages for the IDS community as a whole, mainly by (1) allowing better allocation of scarce resources (developers and researchers) and (2) supporting peer review of signature collections, which can lead to better signatures and better detectors. Snort is an IDS with a large published collection of signatures. This paper considers automated translation of Snort rules to STATL scenarios. Automatically translating Snort rules to STATL scenarios has the practical effect of allowing the use of Snort’s large signature collection with NetSTAT sensors, with essentially no new work as new Snort signatures are developed. A snort2statl translator has been developed that implements the described translation scheme. Most of the signaturespecifying elements of Snort’s rule language are easy to translate to STATL, but developing the translation scheme and its implementation, and then translating the complete set of rules in the standard Snort rule set into STATL scenarios, raised a few issues that are discussed.