[Discussion] Features

• Previous message (by thread): [Discussion] Features
• Next message (by thread): [Discussion] Features
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Does the scoring ability cover what you're thinking?

Or maybe if we see hits that satisfy a certain condition (like similar
attacks from many sites, such as an ssh brute), then all similar hits
for a timeframe get an automatic score bump up?

matt


Joshua Gimer wrote:
> 
> On Thu, Oct 16, 2008 at 7:00 PM, Matt Jonkman <jonkman at jonkmans.com
> <mailto:jonkman at jonkmans.com>> wrote:
> 
>     OK, those are my initial wish list items. Who has more? What else should
>     we do? Any problems with the above?
> 
>     Matt
> 
> 
> I like all of the ideas above. :)
> 
> I would like to see more event correlation functionality built into
> detection engines. I give the example of all the recent distributed SSH
> brute force issue (or the distributed SQL Injection method used by the
> Asprox botnet) that is becoming more common. The majority of IDS/IPS
> engines will not trigger on this kind of distributed traffic.
> 
> I would like to see the ability for the engine to track these
> connections to a common destination from multiple sources and then
> assess the weight of the traffic that is hitting the system within a
> given time window. I agree that this would be hard to do without
> blocking legitimate sources, but I see this as being one of the largest
> downfalls in modern IDS/IPS.
> 
> -- 
> Thx
> Joshua Gimer

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

• Previous message (by thread): [Discussion] Features
• Next message (by thread): [Discussion] Features
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]