[Discussion] [Emerging-Sigs] OISF Brainstorming Session Summary / Phase Three Draft Dev Roadmap

Mon Sep 26 18:31:42 UTC 2011

> Our code is BSD licensed at least so it can be reused.  For the tasks that I imagine you'd want to be doing with Suricata, I wouldn't expect the processing to be that intense actually.

Well, when I put Bro on just port 443, it still has to work pretty
hard, which is why I believe that asking Suricata to walk the cert
chain would add a considerable load.  Now, I'll certainly admit that's
far from scientific reasoning, but my other point stands: if I already
have a tool available which will alert on invalid certs, why do I need
another one, especially when that would come with the opportunity cost
of not implementing some currently unimplemented feature.  Sure, there
are a few cool things you can do in Suricata with that, but I'd wager
that we're already getting 80% of the use from the simple pattern
matching sigs we have out there for the "Internet Widgits" and
"SnakeOil" fake SSL certificates.  So, I'm not against putting SSL
features into Suricata, I just want that to be one of the last things
to go in.

> To be fair, Bro uses longest prefix matching for IP addresses and networks (which I assume Suricata is as well) and is extremely fast.
>

Touche.  Since I'm not running the RBN signatures in Bro, I guess I
just haven't seen its IP matching in action yet.

>>> GEO IP: High Priority / Low Resources
> Hey!  I think that should be called a feature to distinguish from Snort, not unique in the community. ;)

Touche again, I realized right after I sent my last email that Bro had
plenty of GeoIP integrated already.  I haven't used them in the
notice.log much yet, so I forgot about that.