[Discussion] Features

Fri Oct 17 02:50:53 UTC 2008

what is the "audience" for this?  Will it be only for corporations? Will
some of the "rules" and logic somehow be available to the end-user (ie
desktop app, browser plug-in, etc?)

scoring sounds great, also IP/domain reputation.

On Thu, Oct 16, 2008 at 9:00 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:

> Here's the big thread. And don't be afraid to start sub-threads for
> specifics here.
>
> The features we want to go after here are the primary reason we sought
> this funding and are taking this challenge on. Existing stuff works, but
> there's SO much more we could be doing by looking past traditional ips
> strengths. The challenge is that those things aren't conducive to making
> a commercial product with millions invested in development. No one can
> take this risk now, so we're going this route to make it happen.
>
> We have information about bad guys, bad places, and bad patterns. Lots
> of it, terabytes of it. We've got gigs of data about bad stuff in the
> sandnet at emerging threats alone. But most of that we can't effectively
> act upon. We can't give huge lists of bad IPs to most tools, we can't
> feed behavior patterns to existing tools, we can't share scan data
> globally, etc.
>
> So here we are. I have things I wish I could do, you have things you
> wish you could do, over the next couple of months we aim to get to the
> core set of the most important things that most of us want to be able to
> do. Then we'll go after it.
>
> So here's my wish list:
>
> 1. Native multithreading.
> Not each preprocessor or post processor can go to a thread, but each
> stream can take a thread. Think apache. More servers = more requests
> served. THe complications of sharing state between them and the like is
> a challenge, but solvable.
>
>
> 2. IP Reputation Sharing
> I want to feed these gigs of data I have and other projects have into my
> security devices and let it use that data to make smarter decisions. IP
> reputation isn't a new concept, but applying it in realtime will be a
> challenge. But this also opens us up to the possibility of sharing
> reputation data between ourselves.
>
> Imagine clouds of peer organizations sharing ip reputation between their
> security devices. Each benefits from teh data gained and contributes
> back what they encounter. All organizations become more safe.
>
> Then imagine organizations that collect this data for a living. We have
> an avenue for this data to be more commercially viable.
>
>
> 3. Native ipv6
> Of course. No brainer there.
>
>
> 4. Native Hardware acceleration support
> There are a number of hardware acceleration technologies that could be
> more effectively built into the engine from the start, versus the
> back-asswards reverse engineering we have to do now to effectively
> accelerate.
>
>
> 5. Scoring
> Spam-assassin style point scoring. This would go a long way to
> eliminating false positives. The absolutely sure 100% guaranteed true
> positive rules of course would still hit. But the ones that are wrong as
> often as right could be given a score, say a half a point. If something
> else happens from that host within a certain timeframe that pushes that
> over a threshold then all of these alerts come back and can be acted
> upon with more confidence they're real. Complicated, but worthwhile.
>
>
>
> OK, those are my initial wish list items. Who has more? What else should
> we do? Any problems with the above?
>
> Matt
>
>
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20081016/9573b65c/attachment-0002.html>