This talk will discuss leveraging in-house specific architecture knowledge to build custom detection methodologies. One of the very few advantages defenders have against attackers, at least at the beginning, is an intimate (we hope) knowledge of the underlying architectures and process flows for a web front. Combining this knowledge with Netflow analysis and generation software, as well as the Snort IDS system, a custom detection system can be built to provide unique, implementation-specific detection. We will look at the Snort rules and preprocessors specifically geared towards web-based protocols including in depth technical reviews of functionality added in recent Snort updates. We'll also look at how Netflow data can be generated (both from network devices and servers) and how it, along with the data from Snort, can be used to provide a broader security picture.
Matthew Olney is a research engineer with Sourcefire's Vulnerability Research Team. In addition to his time at Sourcefire, he has worked in network and security operations groups at Network Solutions, Verisign and U.s. Government organizations.