[Discussion] [Fwd: Re: Features]

Joep Gommers joep.gommers at gmail.com
Fri Oct 17 06:47:03 UTC 2008


Hi List,

John Ives wrote:
> To throw in my own loose thoughts...
> 
> 9. The ability to pull files out of the stream in real-time.  e.g. If a
> user attempts to download a file named codec.exe pull a copy of that
> file from the tcp stream and send it to a AV/sandbox. If used with a
> sandbox it would mean that, in essence, each client on the network would
> become a sort of honeyclient, identifying malware during normal
> activity. (of course this is of particular interest to me since I am
> slowly building scripts to do something similar - though not in real
> time - using our existing IDS infrastructure and some of my own rules).
> 

Although I'll reply to this thread soon in more detail, I have to
quickly underline that this would be a feature of great value. Ow, and
nice to meet you all - my first post!

Not just because of malcode collecting, but also that once sandboxed,
this (slightly delayed) intelligence is extremely valueable in terms
of intrusion detection on a more high-level event
correlation/policy/compliance level.

I would imagine this feature using signatures of sort, defining
start-, endpoint and contextual pointers that could 'extract' raw data
from streams - inside protocol on different layers (be it
tcp/ftp/smtp) - and perform action on. Scan with AV engine, send to
sendbox et cetera. Brainstorming, wonder if it would be possible then
to save checksums of these extracted datasets, and mark as 'safe'
after being scanned. A configuration option could block 'unscanned' or
deemed 'unsafe' checksums.

-- 
Best regards,
Joep Gommers
iSIGHT Partners

+1 (571) 451-2007
+1 (703) 879-1681
Skype: jgommers

-- 
Best regards,
Joep Gommers

+1 (571) 451-2007
+1 (703) 879-1681
Skype: jgommers



More information about the Discussion mailing list