[Discussion] Just one question

Wed Mar 18 09:12:57 UTC 2009

Hello all,
 I've been quietly lurking in the last months, but I've got a question.
It's still unclear to me if the new IDS will be snort_NG or not. It's not an 
issue by itself, mind you, but most paradigms or even programming techniques 
I've seen discussed in this list are natural evolutions of what is already 
there in snort. This can be perfectly ok if you are evolving snort, otherwise 
maybe you should try to discusse more... core issues.*

Let me explain that with an example: why should you want to have just one rule 
processor?
Whatever semantic you pull in it, it can't possibly cover whatever evolution 
we will have in the next years - or will do it unsatisfactory. See the 
limitations of snort on webapps, for instance, or in virtualized datacenters 
or cloud services.
What about a plugin based rule system? A nibble of data gets in a score gets 
out, then you combin all the scores. Want to develop a virtualization based 
detector? Just plug it in and choose your semantic.

Now, this is just an example, but I've got the feeling this project is very 
snort-oriented (which, let me say it again, is not an issue!). Even if it was 
obvious and stated somewhere, please make it clear for me :-)

* please note that many of the insights I have seen in the list, be them snort 
related or not, are very interesting and good ideas!

-- 
Claudio Criscione

Secure Network S.r.l.
Via Venezia, 23 - 20099 Sesto San Giovanni (MI) - Italia
Tel: +39 02.24126788 Mob: +39 392 3389178
email: c.criscione at securenetwork.it
web: www.securenetwork.it