[Discussion] Rules Syntax

• Previous message (by thread): [Discussion] Rules Syntax
• Next message (by thread): [Discussion] Rules Syntax
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday 18 December 2008 22:10:33 Matt Jonkman wrote:
> The first thing we'd like to do in technical terms is setup a rules
> syntax. IMHO we have to dump the existing ways that's done and start
> over with what we'll be doing for the next 10 years.
[...]
> Other examples of what you'd like to be able to say, in english, and
> we'll start to find the similarities and begin to make a syntax.

Well, what about:

"if someone in my organization has never started any ftp traffic in the last 
three months starts an ftp connection, notify me and start watching more 
carefully that person. "

 - Someone vs some machine
Using the IP address is still the only way to go in most cases, but we need 
more sophisticate means to identify who's who as networks evolve (think about 
whole cities behind a NAT)

 - In my organization vs in my internal lan
Networks are melting into clouds (i like the cloud vaporware ;-)), with VPNs 
and such, and I'm not even talking about virtualization (more about that inf 
uture posts).

- in the last three monts can actually be translated to "is not used to" 
or "does not usually"
The issue with statistical approaches is that you really have to develope 
custom models. What about "signature based statistical models"?

- "watching more carefully"
I'm not sure we always want the same "resolution" on network traffic, and I 
feel it would be great to be able to zoom on suspicious activity 
automatically without having to carry the burden of logging everything 
everytime

Just my 2c :)

-- 
Claudio Criscione

• Previous message (by thread): [Discussion] Rules Syntax
• Next message (by thread): [Discussion] Rules Syntax
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]