[Discussion] a few ideas

Menerick, John jmenerick at netsuite.com
Fri Mar 6 23:28:41 UTC 2009


My preference would be to keep it outside of the engine.  Or at least in a modular fashion built into the engine.  Not only for performance reasons but for KISS pragmatic design.


John Menerick

________________________________________
From: discussion-bounces at openinfosecfoundation.org [discussion-bounces at openinfosecfoundation.org] On Behalf Of Edward Bjarte Fjellskål [edward.fjellskal at redpill-linpro.com]
Sent: Friday, March 06, 2009 11:19 AM
To: Victor Julien
Cc: Kevin Ross; discussion at openinfosecfoundation.org
Subject: Re: [Discussion] a few ideas

Victor Julien wrote:
> Edward Bjarte Fjellskål wrote:
>
>> I want to take this one step further, and try to do this automatic... Im
>> working on a little perl daemon, to sniff the traffic, and detect OS and
>> Services running on my network. Hopefully, in the future, this could be
>> used to
>> automatically help in the "auto categorization" of events... in sguil or
>> other IDS gui...
>> ( http://www.gamelinux.org/?p=43  and  http://gamelinux.github.com/prads/ )
>>
>
> I'm still a bit torn on whether we should have the engine itself do the
> detection of this information or if we should enable the engine to be
> fed this info by external programs like your prads.
>
> Thoughts anyone?
>
> Regards,
> Victor
My thoughts are to keep them outside the engine, if it sucks up too much
juice.

Or the option to turn it off/on in the engine... and be able to have
input from another sensor, or an external program.

Im also in favor on the thought, that an external program would be
better. The external program could be updated separately with
fingerprints/signatures/rules without dependency on the Engine. The
external program could also be used for other stuff.... Larger community :)

But that said, exact values for ttl etc. the Engine should be using for
a host, would best be predicted from the same data that the Engine sees.
If the Engine depends on correct ttl (etc.) values........ So an
external program might need to be placed correct, listening on the same
TAP etc.

e





_______________________________________________
Discussion mailing list
Discussion at openinfosecfoundation.org
http://lists.openinfosecfoundation.org/mailman/listinfo/discussion

NOTICE:  This email and any attachments may contain confidential and proprietary information of NetSuite Inc and is for the sole use of the intended recipient for the stated purpose.  Any improper use or distribution is prohibited and subject to legal sanctions.  If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information.





More information about the Discussion mailing list