[Discussion] Features suggestion

Thu Nov 6 19:03:24 UTC 2008

Greets all,

After having an impromptu conversation with Jonkman about IDS features, we
decided I should post some of my thoughts here and see what you guys think.

One of my long-standing irritations with IDS is a lack of ability to know
what else occurred after an alert was tripped. So, to that end, I've listed
out my thoughts in order from easy implementation to harder to implement.

Currently within Snort we can enable tagging on a rule so that we may
follow streams/packets after an event. This is often useful to me, in the
very least, to ascertain if an attack succeeded. Unfortunately, the act of
enabling tagged packets is tedious (but scriptable) task if I have more
than a handful of rules I want to modify. A method of globally setting a
tag definition that would apply to (groups of? all?) rules would be the
preferable way to accomplish this.

The second, but related thing I'd like to see is a method of recording IP
flows. I find this type of thing useful for statistical analysis, the IDS
already has this information available to it, and it mostly solves the
issue of not knowing what traffic (if any) occurred after an attack. It's
actually better because it doesn't necessarily require a rule being tripped
first... which leads me to my third point.

Anomaly detection / ability to learn normal network behavior. I'm sort of
disillusioned with rule-based IDS, especially now that targetted attacks
are becoming more prominent. An ability for an IDS to learn a network and
recognize bad/unusual/odd traffic patterns and payloads would be a huge
boon. This also fits in well with PassiveAppOSIdentification that I saw
already listed on the OpenInfosec feature list.

Anyway, those are my thoughts. I tried to keep it brief, so let me know
if I need to expand on anything.