Alex Kirk – Snort Rules Writing
Alex Kirk is a Security Engineer for Sourcefire (now a part of Cisco) covering the southeast US. Previously, he spent 9.5 years with the company’s Vulnerability Research Team, where he focused on Snort signature writing, packet/vulnerability/malware analysis, etc.; in his last 4 years there, Alex ran the VRT’s intelligence-sharing programs. He contributed a pair of Snort-related chapters to “Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century,” and was a regular contributor to the widely-read VRT blog (http://vrt-blog.snort.org/). He speaks at conferences worldwide on topics as diverse as “Malware Mythbusting” and “Reducing 0-Day Exposure Through Information-Sharing”, at venues including FIRST, Ekoparty, H2HC, HITB Malaysia, Ruxcon, CARO, You Sh0t the Sheriff, and of course other B-Sides locations.
I take four different types of exploits, commonly seen in the wild today, demonstrate the logic necessary to detect them, and then show how to express that logic in the form of Snort rules. The material is designed to appeal to both the novice and intermediate Snort rule writer – no previous experience is necessary, but more advanced topics are also covered for current IDS analysts. The talk is at its best when the audience is asking questions and being interactive, so please, come in and join me!