[Oisf-users] [Discussion] [Emerging-Sigs] OISF Brainstorming Session Summary / Phase Three Draft Dev Roadmap

Seth Hall seth at icir.org
Mon Sep 26 18:02:20 UTC 2011

(wow this is an extremely cross-posted thread!)

On Sep 24, 2011, at 11:14 AM, Martin Holste wrote:

> Indeed!  As the only (remote) conference attendee that I know of who
> runs Snort, Suricata, and Bro in production on a very large network,

It's good to have someone like you around. :)

>> SSL Analyzer: High Priority / Medium Resources required
>> This module will be implemented in two phases. The first phase will do the following:
> I strongly discourage this feature from being included in the
> immediate roadmap because it is so completely covered by Bro, and
> because the performance penalty for SSL processing is enormous in
> modern enterprise networks.

Our code is BSD licensed at least so it can be reused.  For the tasks that I imagine you'd want to be doing with Suricata, I wouldn't expect the processing to be that intense actually.  Processing SSL traffic isn't really that hard.  Of course, in Bro we are using OpenSSL to process X.509 certificates and that's where most of the usable information is in the session setup.  You could easily still do something like parse the traffic to find the agreed cipher if you wanted to deny traffic based on weak ciphers.

Not that I'm arguing against using the next release of Bro!

>> IP and DNS Reputation Distribution: High Priority / High Resources Required
> This is one of the features that is fairly unique to Suricata (at
> least for live traffic) and so I really encourage this one.
> Specifically, Suricata has the fastest IP matcher that I know of--it's
> one of its greatest strengths.  Reputation allows Surciata to cash in
> on this.

To be fair, Bro uses longest prefix matching for IP addresses and networks (which I assume Suricata is as well) and is extremely fast.

> I really think that the group has overestimated the value of the above
> "anomalies" which are exhibited already by almost half of the hosts
> visited on a normal network.  

Agreed.  I started doing this a long time ago with Bro in the hope that I would catch some really cool stuff.  It never panned out like I hoped.  I found things like cnn.com which (at the time) had a ttl of 0.  It turns out though that there are some weird things to catch still, but finding the tricks are mostly driven by active incident responders who know what attackers are doing today.

>> GEO IP: High Priority / Low Resources
>> This module will use a geo-ip database such as Maxmind to allow geolocation of IP addresses.
> This would also be a feature unique (mostly) to Suricata, extending the
> community IDS capabilities.

Hey!  I think that should be called a feature to distinguish from Snort, not unique in the community. ;)

I also wanted to mention that I got a chance to hang out with Victor during dinner one evening and had a great time.  Now I just wishing that we had met a long time ago!


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Oisf-users mailing list