[Discussion] Features

• Previous message (by thread): [Discussion] Features
• Next message (by thread): [Discussion] Features
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Oct 16, 2008 at 7:00 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:

> OK, those are my initial wish list items. Who has more? What else should
> we do? Any problems with the above?
>
> Matt
>

I like all of the ideas above. :)

I would like to see more event correlation functionality built into
detection engines. I give the example of all the recent distributed SSH
brute force issue (or the distributed SQL Injection method used by the
Asprox botnet) that is becoming more common. The majority of IDS/IPS engines
will not trigger on this kind of distributed traffic.

I would like to see the ability for the engine to track these connections to
a common destination from multiple sources and then assess the weight of the
traffic that is hitting the system within a given time window. I agree that
this would be hard to do without blocking legitimate sources, but I see this
as being one of the largest downfalls in modern IDS/IPS.

-- 
Thx
Joshua Gimer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20081017/21b3e64e/attachment-0002.html>

• Previous message (by thread): [Discussion] Features
• Next message (by thread): [Discussion] Features
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]