[Discussion] Features suggestion

Fri Nov 7 21:06:26 UTC 2008

Jeremy: Yes, I've used pefile from time to time, and I think that
integrating it with live traffic sniffing as some sort of plugin would be
awesome (similar to the pehunter Snort plugin).

Jason: Dead on.  Almost every feature discussed on this list is found in at
least one existing program.  Designing a robust, extensible command and
management "glue" for these tools seems like the most bang for our buck.

--Martin

On Fri, Nov 7, 2008 at 12:22 PM, Jason Lewis <jlewis at packetnexus.com> wrote:

> First, I like where the conversations have gone in regards to solving
> issues that network operators have.
>
> Can anyone point to a tool/app that attempts to do everything and does
> all those things well?  The idea of tagging streams and packets is a
> good one and the idea of including flows is also valuable, but at what
> point do we say "this is trying to do too much"?  Wouldn't time be
> better spent building a system that can manage the tasking of other
> devices for the end goal of preventing network attacks?  Instead of
> building a tool that stores netflow, how about a tool that can control
> devices that already collect netflow and use that data in a smarter way?
>
> jas
>
> Jeremy Hewlett wrote:
> > Greets all,
> >
> > After having an impromptu conversation with Jonkman about IDS features,
> we
> > decided I should post some of my thoughts here and see what you guys
> think.
> >
> > One of my long-standing irritations with IDS is a lack of ability to know
> > what else occurred after an alert was tripped. So, to that end, I've
> listed
> > out my thoughts in order from easy implementation to harder to implement.
> >
> > Currently within Snort we can enable tagging on a rule so that we may
> > follow streams/packets after an event. This is often useful to me, in the
> > very least, to ascertain if an attack succeeded. Unfortunately, the act
> of
> > enabling tagged packets is tedious (but scriptable) task if I have more
> > than a handful of rules I want to modify. A method of globally setting a
> > tag definition that would apply to (groups of? all?) rules would be the
> > preferable way to accomplish this.
> >
> > The second, but related thing I'd like to see is a method of recording IP
> > flows. I find this type of thing useful for statistical analysis, the IDS
> > already has this information available to it, and it mostly solves the
> > issue of not knowing what traffic (if any) occurred after an attack. It's
> > actually better because it doesn't necessarily require a rule being
> tripped
> > first... which leads me to my third point.
> >
> > Anomaly detection / ability to learn normal network behavior. I'm sort of
> > disillusioned with rule-based IDS, especially now that targetted attacks
> > are becoming more prominent. An ability for an IDS to learn a network and
> > recognize bad/unusual/odd traffic patterns and payloads would be a huge
> > boon. This also fits in well with PassiveAppOSIdentification that I saw
> > already listed on the OpenInfosec feature list.
> >
> > Anyway, those are my thoughts. I tried to keep it brief, so let me know
> > if I need to expand on anything.
> >
> > _______________________________________________
> > Discussion mailing list
> > Discussion at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
> >
> >
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20081107/d3da013d/attachment-0002.html>