[Discussion] Features
John Ives
jives at security.berkeley.edu
Fri Oct 17 06:14:06 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
To throw in my own loose thoughts...
9. The ability to pull files out of the stream in real-time. e.g. If a
user attempts to download a file named codec.exe pull a copy of that
file from the tcp stream and send it to a AV/sandbox. If used with a
sandbox it would mean that, in essence, each client on the network would
become a sort of honeyclient, identifying malware during normal
activity. (of course this is of particular interest to me since I am
slowly building scripts to do something similar - though not in real
time - using our existing IDS infrastructure and some of my own rules).
10. (an extension of Matt's #2 [reputation] and Andre's 8 [language to
view app state] and my own #9) a language/protocol for it to interact
with other security devices. Simple uses would be 'I saw X attempt to
do Y to Z so add a firewall rule to stop it X' or 'File malware.exe in
www.hacker.net/badstuff/ was identified as malware in the sandbox/AV
system so drop any packets requesting it.' Obviously this is closely
related to Matt's IP reputation scoring, but this is based upon
immediate threat on a targeted site. This should be reciprocal also
with something like OSSEC or mod_security being able to dynamically
inject immediate information to the IDS/IPS since they can see the
interaction at the end-point after decryption.
John
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJI+C0tAAoJEJkidK6qbyws5cIH/0/hJjwpeZUa3c88dGOWcTfa
O9Zv8vpOkvq0RJGYFHT+9QKxGlrqk2dgngQiC9oz55MhllWePL94Ir067dj3baoJ
TbgAUBMwNK7fbQhC0evvBzOiq7z6Lsei+EO3pBhUHpt7NKyokGEgTbnieR4/3JF6
pFOEFuv0dZURtXyShhZHzkaQO2oxP1p1kbvHqNaWSn2ljkMhpbyhP7pnZnTNucfJ
tsoxibcOlud6+LEfTyeQ4Ajz7upXHarEb8U4hdTx095Y6ZmLHKsio5CMpnu0tmxW
3L0RKae+NpjMt9abaBvVqfiH24EJe6aBpIWPXlls0hl0rip5PG3tOYfJwqIJ7M0=
=Aold
-----END PGP SIGNATURE-----
More information about the Discussion
mailing list