[Oisf-users] New Post by OISF Board Member Randy Caldejon

Cooper F. Nelson cnelson at ucsd.edu
Fri Oct 2 19:39:44 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Off the top of my head, a few things I would like to see:

1.  Detect OS via User-Agent string and allow that to be referenced via
a keyword in rules.  Something like "os:windows".

2.  Detect new user-agent by source IP, while honoring the
x-forwarded-for header for proxied traffic.

3.  Allow keywords for time of day and src/destination country IP.

4.  Some sort of domain reputation plugin, with local caching.  Ideally
with the ability to keep a database of domain resolution per host, with
the ability to alert on new domains, per host.

5.   The ability to insert data from the behavioral analysis engine into
the output of the ascii alert text.  So something like "msg:HTTP request
for known-bad domain %DOMAIN".

- -Coop

On 10/2/2015 11:21 AM, Leonard Jacobs wrote:
> And would give Suricata the edge over many competing technology.
> 
> Leonard
> 
> 
>     ------------------------------------------------------------------------
>     *From:* Cooper F. Nelson [mailto:cnelson at ucsd.edu]
>     *To:* Leonard Jacobs [mailto:ljacobs at netsecuris.com], Kelley Misata
>     [mailto:kelley at openinfosecfoundation.org], oisf users
>     [mailto:oisf-users at openinfosecfoundation.org]
>     *Sent:* Fri, 02 Oct 2015 11:32:58 -0600
>     *Subject:* Re: [Oisf-users] New Post by OISF Board Member Randy Caldejon
> 
> I've been doing behavioral analysis on suricata effectively for a few
> years using custom rules and post-processing of the alert files.
> 
> This works well enough, but I will admit a more robust implementation
> that includes some sort of scripting engine would be a fantastic
> addition.
> 
> On 10/2/2015 7:03 AM, Leonard Jacobs wrote:
>> Nicely done. Randy, glad to see I am not the only board member that
>> believes behavioral analysis is needed in Suricata.
> 
>> I look forward to see everyone in Barcelona. It is going to be an
>> exciting conference.
> 
>> Leonard Jacobs, MBA, CISSP, CSSA
>> President/CEO
>> Netsecuris Inc.
>> P 952-641-1421 ext. 20
>> http://www.netsecuris.com
> 
> 
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJWDt2AAAoJEKIFRYQsa8FWAfIH/3HQZNdX6kFnNasDclGdeQek
vvgjzaiXUtVwplpjqb5Bnte31AKHR9OKXrDHDpzVkAc5c5r6uFXW6rC6Iiu5Fd3E
38EzAj1SR3PDOSwavExIo/R/t2gWrKYP3AYXBzmzfWkx29saIwGnFbku+H/7DQQj
44Eykp/SfevRUNxBVM0lgcwctGpTTfxMIqRx7G0zNhz7vVhCvoyhypk769Xu5Qm/
Z9kDodkZKQ5GkNujQBCPY0Ol4Nw0DsGBdrrlNoKXa5EKnWt6/X2iwjNpfm9t7yWS
YfCO3XdFFtJV6usUYchbuXBHOPF0jp8+mKyZWYRBQwMwxXF0TejnQvw2gZOWdBc=
=bBxK
-----END PGP SIGNATURE-----

More information about the Oisf-users mailing list