[Discussion] Features

Matt Jonkman jonkman at jonkmans.com
Fri Oct 17 01:00:32 UTC 2008


Here's the big thread. And don't be afraid to start sub-threads for
specifics here.

The features we want to go after here are the primary reason we sought
this funding and are taking this challenge on. Existing stuff works, but
there's SO much more we could be doing by looking past traditional ips
strengths. The challenge is that those things aren't conducive to making
a commercial product with millions invested in development. No one can
take this risk now, so we're going this route to make it happen.

We have information about bad guys, bad places, and bad patterns. Lots
of it, terabytes of it. We've got gigs of data about bad stuff in the
sandnet at emerging threats alone. But most of that we can't effectively
act upon. We can't give huge lists of bad IPs to most tools, we can't
feed behavior patterns to existing tools, we can't share scan data
globally, etc.

So here we are. I have things I wish I could do, you have things you
wish you could do, over the next couple of months we aim to get to the
core set of the most important things that most of us want to be able to
do. Then we'll go after it.

So here's my wish list:

1. Native multithreading.
Not each preprocessor or post processor can go to a thread, but each
stream can take a thread. Think apache. More servers = more requests
served. THe complications of sharing state between them and the like is
a challenge, but solvable.


2. IP Reputation Sharing
I want to feed these gigs of data I have and other projects have into my
security devices and let it use that data to make smarter decisions. IP
reputation isn't a new concept, but applying it in realtime will be a
challenge. But this also opens us up to the possibility of sharing
reputation data between ourselves.

Imagine clouds of peer organizations sharing ip reputation between their
security devices. Each benefits from teh data gained and contributes
back what they encounter. All organizations become more safe.

Then imagine organizations that collect this data for a living. We have
an avenue for this data to be more commercially viable.


3. Native ipv6
Of course. No brainer there.


4. Native Hardware acceleration support
There are a number of hardware acceleration technologies that could be
more effectively built into the engine from the start, versus the
back-asswards reverse engineering we have to do now to effectively
accelerate.


5. Scoring
Spam-assassin style point scoring. This would go a long way to
eliminating false positives. The absolutely sure 100% guaranteed true
positive rules of course would still hit. But the ones that are wrong as
often as right could be given a score, say a half a point. If something
else happens from that host within a certain timeframe that pushes that
over a threshold then all of these alerts come back and can be acted
upon with more confidence they're real. Complicated, but worthwhile.



OK, those are my initial wish list items. Who has more? What else should
we do? Any problems with the above?

Matt



-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Discussion mailing list