[Oisf-users] New Post by OISF Board Member Randy Caldejon

[Andreas Moe]

All those suggestions seem good, but they are moving fairly close to what
SIEM solutions and data analysis / aggregation / coorelations systems
should (in my mind) be handeling. Threat Intel such as domain / ip rep can
change suddenly (say its lunch time, and you recive some new IOCs), and you
dont want to reboot suricata (if the implementation would imply that was
needed), and you would (as you often do) want to look retrospetivly for
previous incidents on earlier unkown IOCs.

Keywords for time of day would be nice, but there would have to be alot of
time put into how this was implemented, seing that many users are
multinational, and spread over many timezones, but using one central
signature management solution. Maybe if you had "alert-on:!work-hours" and
work-hours was defined as a variable (in the same way as network variables)
in the configuration.

Tracking user agents would maybe be abit dificult, changes so much, length
pattern matching (performance), and so easily / rapidly changing. PCRE
matches against elements found in this list:
http://www.useragentstring.com/pages/Browserlist/ would be very performance
draining on a high speed link.

Sorry for sounding so negative, but i really like were this talk i going,
the potential future + innovating ideas =)

Things im thinking of (and some of these are in play) are:
- Integration with queue elements for output (say kafka) as well as input
(maybe for domain/ip rep, as you mentioned, so that you can just "push" it
out to the sensors)
- Multi tenancy (vlan / interface, seperate output logs)
- Periods of feature locks with focus on security testing and optimalization
- Integration with databased for direct output of say passive dns logging
- Configuration profiling vs observed stats reporting and suricata
performance (not really sure how, just an idea i had, just as we have
packet profiling, say "user starts suricata with config-profiling, lots of
defraged packet are found causing memcap reach, and similar events, packet
drops and so on, and this would be reported back in a report).
- Complementary live Suricata pet to the top developer of the year (maybe
victor ++ could start a Zoo?)

/AndreasM

2015-10-02 21:39 GMT+02:00 Cooper F. Nelson <cnelson at ucsd.edu>:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Off the top of my head, a few things I would like to see:
>
> 1.  Detect OS via User-Agent string and allow that to be referenced via
> a keyword in rules.  Something like "os:windows".
>
> 2.  Detect new user-agent by source IP, while honoring the
> x-forwarded-for header for proxied traffic.
>
> 3.  Allow keywords for time of day and src/destination country IP.
>
> 4.  Some sort of domain reputation plugin, with local caching.  Ideally
> with the ability to keep a database of domain resolution per host, with
> the ability to alert on new domains, per host.
>
> 5.   The ability to insert data from the behavioral analysis engine into
> the output of the ascii alert text.  So something like "msg:HTTP request
> for known-bad domain %DOMAIN".
>
> - -Coop
>
> On 10/2/2015 11:21 AM, Leonard Jacobs wrote:
> > And would give Suricata the edge over many competing technology.
> >
> > Leonard
> >
> >
> >
>  ------------------------------------------------------------------------
> >     *From:* Cooper F. Nelson [mailto:cnelson at ucsd.edu]
> >     *To:* Leonard Jacobs [mailto:ljacobs at netsecuris.com], Kelley Misata
> >     [mailto:kelley at openinfosecfoundation.org], oisf users
> >     [mailto:oisf-users at openinfosecfoundation.org]
> >     *Sent:* Fri, 02 Oct 2015 11:32:58 -0600
> >     *Subject:* Re: [Oisf-users] New Post by OISF Board Member Randy
> Caldejon
> >
> > I've been doing behavioral analysis on suricata effectively for a few
> > years using custom rules and post-processing of the alert files.
> >
> > This works well enough, but I will admit a more robust implementation
> > that includes some sort of scripting engine would be a fantastic
> > addition.
> >
> > On 10/2/2015 7:03 AM, Leonard Jacobs wrote:
> >> Nicely done. Randy, glad to see I am not the only board member that
> >> believes behavioral analysis is needed in Suricata.
> >
> >> I look forward to see everyone in Barcelona. It is going to be an
> >> exciting conference.
> >
> >> Leonard Jacobs, MBA, CISSP, CSSA
> >> President/CEO
> >> Netsecuris Inc.
> >> P 952-641-1421 ext. 20
> >> http://www.netsecuris.com
> >
> >
> >
>
> - --
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iQEcBAEBAgAGBQJWDt2AAAoJEKIFRYQsa8FWAfIH/3HQZNdX6kFnNasDclGdeQek
> vvgjzaiXUtVwplpjqb5Bnte31AKHR9OKXrDHDpzVkAc5c5r6uFXW6rC6Iiu5Fd3E
> 38EzAj1SR3PDOSwavExIo/R/t2gWrKYP3AYXBzmzfWkx29saIwGnFbku+H/7DQQj
> 44Eykp/SfevRUNxBVM0lgcwctGpTTfxMIqRx7G0zNhz7vVhCvoyhypk769Xu5Qm/
> Z9kDodkZKQ5GkNujQBCPY0Ol4Nw0DsGBdrrlNoKXa5EKnWt6/X2iwjNpfm9t7yWS
> YfCO3XdFFtJV6usUYchbuXBHOPF0jp8+mKyZWYRBQwMwxXF0TejnQvw2gZOWdBc=
> =bBxK
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona:
> http://oisfevents.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20151002/b272b606/attachment-0002.html>