[Oisf-users] [Emerging-Sigs] More "Unknown type of Driveby Sigs"

[Joel Esler]

On Nov 27, 2011, at 11:15 PM, Martin Holste wrote:

>> I've read this thread, as we are currently planning the release and production of features for the next major version of Snort (beyond what we've already built), and I'm still not sure what's being asked for.
> 
> My understanding of this thread is that Kevin was suggesting that it
> would be great to have a flowbit mechanism which set a different kind
> of "noalert" in which the alerting value was computed at the end of a
> flowbit chain.  That way you could have otherwise noisy alerts go off
> only when you know they will be relevant.
> 
> I can't speak to the per-rule overhead that flowbits introduce in any
> empirical way.  I'd be glad if someone produced such measurements.
> 

We are planning on overhauling how flowbits work anyway.  We are still in the brainstorming stage at this point, but I'll keep everyone informed when we get more solid.


> What I am asking for as a feature would be protocol-specific
> connection ID's attached at least to HTTP/SMTP logs, and alerts if
> possible, so that when an alert fires for something malicious, you
> could search on the relevant protocol connection ID to see all of the
> prior artifacts on the stream.  The protocol-specific connection could
> span multiple basic TCP connections to identify browsing sessions,
> SMTP sessions, etc.  This could be identified by a combination of
> streams, user-agents, host headers, and cookies for HTTP.

That would be interesting.   I'll bounce the idea around here and see what we can think of.