[Oisf-users] [Emerging-Sigs] More "Unknown type of Driveby Sigs"

[Martin Holste]

> I've read this thread, as we are currently planning the release and production of features for the next major version of Snort (beyond what we've already built), and I'm still not sure what's being asked for.

My understanding of this thread is that Kevin was suggesting that it
would be great to have a flowbit mechanism which set a different kind
of "noalert" in which the alerting value was computed at the end of a
flowbit chain.  That way you could have otherwise noisy alerts go off
only when you know they will be relevant.

I can't speak to the per-rule overhead that flowbits introduce in any
empirical way.  I'd be glad if someone produced such measurements.

What I am asking for as a feature would be protocol-specific
connection ID's attached at least to HTTP/SMTP logs, and alerts if
possible, so that when an alert fires for something malicious, you
could search on the relevant protocol connection ID to see all of the
prior artifacts on the stream.  The protocol-specific connection could
span multiple basic TCP connections to identify browsing sessions,
SMTP sessions, etc.  This could be identified by a combination of
streams, user-agents, host headers, and cookies for HTTP.