[Discussion] Just one question
Matt Jonkman
jonkman at jonkmans.com
Wed Mar 18 13:44:21 UTC 2009
Very good question Claudio. Our charter is to build something new. We
are talking about a lot of things that are the next thing for Snort, or
what we wish Snort could do.
But our primary goal is to break out of whatever limitations we've had
in the past to build what we need for the long term. Plugins as you
mentioned are definitely the right idea.
I like your scoring idea. We have something similar on the roadmap. I
liken it to spamassassin-style decision making. A lot of little factors
could add up to be enough to cause an alert, or cause a stream to be
captured in anticipation of it likely being bad or needing human analysis.
Now will the new thing be 100% different from Snort? Likely not. We're
trying to keep signature compatibility in some form to the old rules (no
one wants to rewrite the last 10 years of signature intelligence). But
we'll also likely have a second language that fits what we're hoping to
get to in the future and that will likely be plugin based as you suggest.
That help?
Matt
Claudio Criscione wrote:
> Hello all,
> I've been quietly lurking in the last months, but I've got a question.
> It's still unclear to me if the new IDS will be snort_NG or not. It's not an
> issue by itself, mind you, but most paradigms or even programming techniques
> I've seen discussed in this list are natural evolutions of what is already
> there in snort. This can be perfectly ok if you are evolving snort, otherwise
> maybe you should try to discusse more... core issues.*
>
> Let me explain that with an example: why should you want to have just one rule
> processor?
> Whatever semantic you pull in it, it can't possibly cover whatever evolution
> we will have in the next years - or will do it unsatisfactory. See the
> limitations of snort on webapps, for instance, or in virtualized datacenters
> or cloud services.
> What about a plugin based rule system? A nibble of data gets in a score gets
> out, then you combin all the scores. Want to develop a virtualization based
> detector? Just plug it in and choose your semantic.
>
> Now, this is just an example, but I've got the feeling this project is very
> snort-oriented (which, let me say it again, is not an issue!). Even if it was
> obvious and stated somewhere, please make it clear for me :-)
>
>
>
> * please note that many of the insights I have seen in the list, be them snort
> related or not, are very interesting and good ideas!
>
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Discussion
mailing list