[Discussion] a few ideas

• Previous message (by thread): [Discussion] a few ideas
• Next message (by thread): [Discussion] a few ideas
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Victor Julien wrote:
> Edward Bjarte Fjellskål wrote:
>   
>> I want to take this one step further, and try to do this automatic... Im
>> working on a little perl daemon, to sniff the traffic, and detect OS and
>> Services running on my network. Hopefully, in the future, this could be
>> used to
>> automatically help in the "auto categorization" of events... in sguil or
>> other IDS gui...
>> ( http://www.gamelinux.org/?p=43  and  http://gamelinux.github.com/prads/ )
>>     
>
> I'm still a bit torn on whether we should have the engine itself do the
> detection of this information or if we should enable the engine to be
> fed this info by external programs like your prads.
>
> Thoughts anyone?
>
> Regards,
> Victor
My thoughts are to keep them outside the engine, if it sucks up too much
juice.

Or the option to turn it off/on in the engine... and be able to have
input from another sensor, or an external program.

Im also in favor on the thought, that an external program would be
better. The external program could be updated separately with
fingerprints/signatures/rules without dependency on the Engine. The
external program could also be used for other stuff.... Larger community :)

But that said, exact values for ttl etc. the Engine should be using for
a host, would best be predicted from the same data that the Engine sees.
If the Engine depends on correct ttl (etc.) values........ So an
external program might need to be placed correct, listening on the same
TAP etc.

e

• Previous message (by thread): [Discussion] a few ideas
• Next message (by thread): [Discussion] a few ideas
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]