[Oisf-users] New Post by OISF Board Member Randy Caldejon

Cooper F. Nelson cnelson at ucsd.edu
Fri Oct 2 19:39:44 UTC 2015

Hash: SHA1

Off the top of my head, a few things I would like to see:

1.  Detect OS via User-Agent string and allow that to be referenced via
a keyword in rules.  Something like "os:windows".

2.  Detect new user-agent by source IP, while honoring the
x-forwarded-for header for proxied traffic.

3.  Allow keywords for time of day and src/destination country IP.

4.  Some sort of domain reputation plugin, with local caching.  Ideally
with the ability to keep a database of domain resolution per host, with
the ability to alert on new domains, per host.

5.   The ability to insert data from the behavioral analysis engine into
the output of the ascii alert text.  So something like "msg:HTTP request
for known-bad domain %DOMAIN".

- -Coop

On 10/2/2015 11:21 AM, Leonard Jacobs wrote:
> And would give Suricata the edge over many competing technology.
> Leonard
>     ------------------------------------------------------------------------
>     *From:* Cooper F. Nelson [mailto:cnelson at ucsd.edu]
>     *To:* Leonard Jacobs [mailto:ljacobs at netsecuris.com], Kelley Misata
>     [mailto:kelley at openinfosecfoundation.org], oisf users
>     [mailto:oisf-users at openinfosecfoundation.org]
>     *Sent:* Fri, 02 Oct 2015 11:32:58 -0600
>     *Subject:* Re: [Oisf-users] New Post by OISF Board Member Randy Caldejon
> I've been doing behavioral analysis on suricata effectively for a few
> years using custom rules and post-processing of the alert files.
> This works well enough, but I will admit a more robust implementation
> that includes some sort of scripting engine would be a fantastic
> addition.
> On 10/2/2015 7:03 AM, Leonard Jacobs wrote:
>> Nicely done. Randy, glad to see I am not the only board member that
>> believes behavioral analysis is needed in Suricata.
>> I look forward to see everyone in Barcelona. It is going to be an
>> exciting conference.
>> Leonard Jacobs, MBA, CISSP, CSSA
>> President/CEO
>> Netsecuris Inc.
>> P 952-641-1421 ext. 20
>> http://www.netsecuris.com

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list