[Discussion] Virtues of a Multi-Sensor Environment
David J. Bianco
david at vorant.com
Wed Oct 29 18:13:53 UTC 2008
I just now got caught up on all my OISF discussion list reading, so I'd
like to make a few points. Some of you probably know that I'm affiliated with
the Sguil project, so many of my comments spring from that background.
We consider ourselves to have moved past IDS years ago, when we started to
implement our NSM model. The additional network forensic capabilities built
into Sguil (network session database, full content packet capture and passive
network service detection) are really key to our ability to do good event
analysis. In fact, from our point of view, the success of our monitoring
program depends in large part upon our ability to :
1) Find new ways of detecting events
2) Get those detected events into the Sguil database
3) Use the built-in Sguil research tools to investigate them
For the most part, getting things into Sguil (#2) is quite simple, so that
really leaves us with #1 and #3.
There was some discussion on this list about Bro. I'm a big fan of Bro.
It performs very well in the pattern analysis and policy-based detection
arenas, in which Snort (and thus, Sguil) do poorly. Conversely, Bro's
signature matching abilities aren't very good, and it certainly doesn't have
a robust sig library like Snort does.
My view is that they are both complementary technologies, and should be
deployed in tandem. It has been suggested on this list that Bro be the
engine for future OISF implementation. Great idea! But I propose that
we consider our project a framework, or suite of tools, and that Bro be
a critical *piece* of that framework, but not the only framework.
Further, we should strive to be "sensor-agnostic", accepting inputs from
different types of detection engines and integrating them into a common
analysis portal. There are many advantages to this approach, including
the fact that it allows each site to choose the exact mix of detection
engines that make most sense in their environment.
I can envision a scenario where I'd deploy, for example, signature based
IDS (Snort), policy based IDS (Bro), correlated event alerts (OSSEC) and
perhaps even application specific sensors (mod_security, database IDS,
spear phishing detection, etc). All these events should go to the same
analysis tool, they should be organized effectively, searchable,
cross-referenced, and tied to forensic data (network sessions, packet
captures, log files, etc).
In fact, we're much of the way there already. I released an agent to
slurp OSSEC events into Sguil quite some time ago, and we have done the
same with other data sources as well. Communication between Bro and Sguil
is on my TODO list as well. So really, the idea of deploying multiple
types of sensors feeding into the same analysis tool is a practical one.
I think this should be a design goal of the project.
David
More information about the Discussion
mailing list