Sp_Perl for Snort
Saturday Jeff Nathan announced he and Brian Caswell have developed a new plugin for Snort: sp_perl. This detection plugin offers users full regular expression matching within a Snort rule as well as runtime execution of perl code. They briefed their work at CanSecWest 03. At the same conference, Jed Haile gave a short presentation on using Argus to monitor network flows. Russell Fulton has been doing the same thing with Argus for at least four years. Argus was publicly announced almost exactly seven years ago. I learned similar techniques working with the Air Force's ASIM sensor, developed in the mid-1990s.