Jeremy: Yes, I've used pefile from time to time, and I think that integrating it with live traffic sniffing as some sort of plugin would be awesome (similar to the pehunter Snort plugin).<br><br>Jason: Dead on. Almost every feature discussed on this list is found in at least one existing program. Designing a robust, extensible command and management "glue" for these tools seems like the most bang for our buck.<br>
<br>--Martin<br><br><div class="gmail_quote">On Fri, Nov 7, 2008 at 12:22 PM, Jason Lewis <span dir="ltr"><<a href="mailto:jlewis@packetnexus.com">jlewis@packetnexus.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
First, I like where the conversations have gone in regards to solving<br>
issues that network operators have.<br>
<br>
Can anyone point to a tool/app that attempts to do everything and does<br>
all those things well? The idea of tagging streams and packets is a<br>
good one and the idea of including flows is also valuable, but at what<br>
point do we say "this is trying to do too much"? Wouldn't time be<br>
better spent building a system that can manage the tasking of other<br>
devices for the end goal of preventing network attacks? Instead of<br>
building a tool that stores netflow, how about a tool that can control<br>
devices that already collect netflow and use that data in a smarter way?<br>
<br>
jas<br>
<div><div></div><div class="Wj3C7c"><br>
Jeremy Hewlett wrote:<br>
> Greets all,<br>
><br>
> After having an impromptu conversation with Jonkman about IDS features, we<br>
> decided I should post some of my thoughts here and see what you guys think.<br>
><br>
> One of my long-standing irritations with IDS is a lack of ability to know<br>
> what else occurred after an alert was tripped. So, to that end, I've listed<br>
> out my thoughts in order from easy implementation to harder to implement.<br>
><br>
> Currently within Snort we can enable tagging on a rule so that we may<br>
> follow streams/packets after an event. This is often useful to me, in the<br>
> very least, to ascertain if an attack succeeded. Unfortunately, the act of<br>
> enabling tagged packets is tedious (but scriptable) task if I have more<br>
> than a handful of rules I want to modify. A method of globally setting a<br>
> tag definition that would apply to (groups of? all?) rules would be the<br>
> preferable way to accomplish this.<br>
><br>
> The second, but related thing I'd like to see is a method of recording IP<br>
> flows. I find this type of thing useful for statistical analysis, the IDS<br>
> already has this information available to it, and it mostly solves the<br>
> issue of not knowing what traffic (if any) occurred after an attack. It's<br>
> actually better because it doesn't necessarily require a rule being tripped<br>
> first... which leads me to my third point.<br>
><br>
> Anomaly detection / ability to learn normal network behavior. I'm sort of<br>
> disillusioned with rule-based IDS, especially now that targetted attacks<br>
> are becoming more prominent. An ability for an IDS to learn a network and<br>
> recognize bad/unusual/odd traffic patterns and payloads would be a huge<br>
> boon. This also fits in well with PassiveAppOSIdentification that I saw<br>
> already listed on the OpenInfosec feature list.<br>
><br>
> Anyway, those are my thoughts. I tried to keep it brief, so let me know<br>
> if I need to expand on anything.<br>
><br>
> _______________________________________________<br>
> Discussion mailing list<br>
> <a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
><br>
><br>
<br>
_______________________________________________<br>
Discussion mailing list<br>
<a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
</div></div></blockquote></div><br>