Scoring System using IDS Alert

zamrootzamroot Registered Users Posts: 2 ■□□□□□□□□□
I have an idea to develop a project scoring system for games like capture the flag using IDS alert eg snort or bro. I need your comment and suggestion on this. Is it sound relevant or possible to do that? If relevant which IDS should I focus snort or bro or any others? Thanks.


  • CodyyCodyy Senior Member Member Posts: 223 ■■■□□□□□□□
    I'd probably focus on Snort. Interested in hearing how this works out, I could see someone gaming the system by just sending stuff that Snort shows as high severity(like shellcode) over and over. Do you have a plan to adjust/limit scoring for duplicate attacks?

    Good luck and keep us posted, sounds like a cool idea.
  • wastedtimewastedtime Member Posts: 586
    This is definitely relevant and a good way to identify bad/odd traffic without spending a lot of time on the normal stuff. I agree with Codyy that you should probably focus on Snort. I think scoring would be more accurate with Bro, but harder to achieve. The reason I say that is you would have to do a lot more cross log correlation to achieve the same effect in bro and that would add a lot of complexity once everything is said and done. Not to mention how hard it would be to tweak the scoring method without making many changes.
  • zamrootzamroot Registered Users Posts: 2 ■□□□□□□□□□
    Thanks for the feedback. Coody do you have more details about the game you mentioned? Maybe any reference/link?

    At the moment I'm still in initial study about this and still searching if any other project that related with this idea.
  • BlackBeretBlackBeret Member Posts: 684 ■■■■■□□□□□
    Snort seems like the better candidate for this, but I have some questions on what you're trying to achieve.

    Are you using the IDS detection to award points or take away points? I ask because even in a game environment a lot of attacks aren't going to be picked up by the IDS. Unless you're trying to award points for a properly executed <insert X exploit>. If you're going to use an IDS system to take away points, you could configure it to IPS mode and simply block the attacks that it alerts on so that they can't get points.

    Honestly I can't see anything on the network that can/will catch everything. One of the finer points of pentesting is to stay under the radar and develop/use new attack methods.

    I haven' participated in any SANS challenges yet so take what I say with a grain of salt, but I read a bit about their scoring system and how people attempt to ****, it was a good article. I'll look for it later. The basics is that a scoring server is set up, and on each machine is a hash that is only readable by X level (User, root, etc). Once users penetrate the machine they copy the hash and paste it in to the scoring server to award points. One method students were using to try and **** the system was to use a sniffer on the network and capture these hashes as other teams were sending them to the server.
Sign In or Register to comment.