[Discussion] Features suggestion
Jason Lewis
jlewis at packetnexus.com
Fri Nov 7 18:22:11 UTC 2008
First, I like where the conversations have gone in regards to solving
issues that network operators have.
Can anyone point to a tool/app that attempts to do everything and does
all those things well? The idea of tagging streams and packets is a
good one and the idea of including flows is also valuable, but at what
point do we say "this is trying to do too much"? Wouldn't time be
better spent building a system that can manage the tasking of other
devices for the end goal of preventing network attacks? Instead of
building a tool that stores netflow, how about a tool that can control
devices that already collect netflow and use that data in a smarter way?
jas
Jeremy Hewlett wrote:
> Greets all,
>
> After having an impromptu conversation with Jonkman about IDS features, we
> decided I should post some of my thoughts here and see what you guys think.
>
> One of my long-standing irritations with IDS is a lack of ability to know
> what else occurred after an alert was tripped. So, to that end, I've listed
> out my thoughts in order from easy implementation to harder to implement.
>
> Currently within Snort we can enable tagging on a rule so that we may
> follow streams/packets after an event. This is often useful to me, in the
> very least, to ascertain if an attack succeeded. Unfortunately, the act of
> enabling tagged packets is tedious (but scriptable) task if I have more
> than a handful of rules I want to modify. A method of globally setting a
> tag definition that would apply to (groups of? all?) rules would be the
> preferable way to accomplish this.
>
> The second, but related thing I'd like to see is a method of recording IP
> flows. I find this type of thing useful for statistical analysis, the IDS
> already has this information available to it, and it mostly solves the
> issue of not knowing what traffic (if any) occurred after an attack. It's
> actually better because it doesn't necessarily require a rule being tripped
> first... which leads me to my third point.
>
> Anomaly detection / ability to learn normal network behavior. I'm sort of
> disillusioned with rule-based IDS, especially now that targetted attacks
> are becoming more prominent. An ability for an IDS to learn a network and
> recognize bad/unusual/odd traffic patterns and payloads would be a huge
> boon. This also fits in well with PassiveAppOSIdentification that I saw
> already listed on the OpenInfosec feature list.
>
> Anyway, those are my thoughts. I tried to keep it brief, so let me know
> if I need to expand on anything.
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
>
More information about the Discussion
mailing list