[Discussion] Features

Victor Julien lists at inliniac.net
Fri Oct 17 15:58:08 UTC 2008


Joshua Gimer wrote:
>
> On Thu, Oct 16, 2008 at 7:00 PM, Matt Jonkman <jonkman at jonkmans.com
> <mailto:jonkman at jonkmans.com>> wrote:
>
>     OK, those are my initial wish list items. Who has more? What
>     else should
>     we do? Any problems with the above?
>
>     Matt
>
>
> I like all of the ideas above. :)
>
> I would like to see more event correlation functionality built into
> detection engines. I give the example of all the recent distributed
> SSH brute force issue (or the distributed SQL Injection method used
> by the Asprox botnet) that is becoming more common. The majority of
> IDS/IPS engines will not trigger on this kind of distributed traffic.
>
> I would like to see the ability for the engine to track these
> connections to a common destination from multiple sources and then
> assess the weight of the traffic that is hitting the system within a
> given time window. I agree that this would be hard to do without
> blocking legitimate sources, but I see this as being one of the
> largest downfalls in modern IDS/IPS.
>
I like the idea to have a rule directive that can say: if this rule
matches, add the (src|dst|both) ip to some set. Then use that set in
other rules, etc...

Regards,
Victor





More information about the Discussion mailing list