<br><div class="gmail_quote">On Thu, Oct 16, 2008 at 7:00 PM, Matt Jonkman <span dir="ltr"><<a href="mailto:jonkman@jonkmans.com">jonkman@jonkmans.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
OK, those are my initial wish list items. Who has more? What else should<br>
we do? Any problems with the above?<br>
<br>
Matt<br></blockquote></div><br>I like all of the ideas above. :)<br><br>I would like to see more event correlation functionality built into detection engines. I give the example of all the recent distributed SSH brute force issue (or the distributed SQL Injection method used by the Asprox botnet) that is becoming more common. The majority of IDS/IPS engines will not trigger on this kind of distributed traffic.<br>
<br>I would like to see the ability for the engine to track these connections to a common destination from multiple sources and then assess the weight of the traffic that is hitting the system within a given time window. I agree that this would be hard to do without blocking legitimate sources, but I see this as being one of the largest downfalls in modern IDS/IPS.<br>
<br>-- <br>Thx<br>Joshua Gimer<br>