[Discussion] a few ideas

Tue Mar 3 22:24:55 UTC 2009

Hey I have a few more ideas:

1) rather than have the engine with all the signatures required for the
environment for the everything it is watching why not be able to have
directed rulesets? I.e say only process these rules for these networks or
machines but don't do it for these.

For instance if there was a single sensor watching traffic to and from a
network segment with a few Linux servers and windows clients, rather than
enabling all the rules necessary I can say watch the necessary rules for
windows while not applying the Linux rules and vice versa. i.e have netbios
rules for 192.168.1.0/24 network but not for hosts 192.168.1.40-45, that way
uncessary rules are not applied on traffic going hosts/networks which don't
need them. It may not be a good example for netbios due to specific ports
that are used but in an IIS/Apache web farm for example it could be useful.

I think the best way to decide on this would be whitelist/blaclist approach
so you can say apply these rules/rulesets to this entire network except for
these hosts or say do not apply the ruleset to this network except for these
hosts. That was a sensor watching a mixed network segment can apply the
rules more accurately to the traffic.

2) suggestive rule tuning. i.e the sensor does not see any netbios traffic
within a learning period, it can then say "no netbios traffic has been seen,
do you wish to disable this ruleset" or something similiar like do you have
windows machines?. Likewise if the sensor sees something that a ruleset/rule
is not enabled for it can suggest it is enabled. This suggestive tuning
could make it easier for new users to tune the system. This would lend
itself well to a webgui/gui approach where an area could have suggested
tuning options.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20090303/87068074/attachment-0002.html>