[Oisf-users] [Discussion] [Emerging-Sigs] OISF Brainstorming Session Summary / Phase Three Draft Dev Roadmap
mcholste at gmail.com
Mon Sep 26 18:31:42 UTC 2011
> Our code is BSD licensed at least so it can be reused. For the tasks that I imagine you'd want to be doing with Suricata, I wouldn't expect the processing to be that intense actually.
Well, when I put Bro on just port 443, it still has to work pretty
hard, which is why I believe that asking Suricata to walk the cert
chain would add a considerable load. Now, I'll certainly admit that's
far from scientific reasoning, but my other point stands: if I already
have a tool available which will alert on invalid certs, why do I need
another one, especially when that would come with the opportunity cost
of not implementing some currently unimplemented feature. Sure, there
are a few cool things you can do in Suricata with that, but I'd wager
that we're already getting 80% of the use from the simple pattern
matching sigs we have out there for the "Internet Widgits" and
"SnakeOil" fake SSL certificates. So, I'm not against putting SSL
features into Suricata, I just want that to be one of the last things
to go in.
> To be fair, Bro uses longest prefix matching for IP addresses and networks (which I assume Suricata is as well) and is extremely fast.
Touche. Since I'm not running the RBN signatures in Bro, I guess I
just haven't seen its IP matching in action yet.
>>> GEO IP: High Priority / Low Resources
> Hey! I think that should be called a feature to distinguish from Snort, not unique in the community. ;)
Touche again, I realized right after I sent my last email that Bro had
plenty of GeoIP integrated already. I haven't used them in the
notice.log much yet, so I forgot about that.
More information about the Oisf-users