[Snort-devel] results of the SANS snort bof

Jed Pickel jed at ...7...
Wed Oct 25 23:56:57 EDT 2000


FYI.. There was lots of snortage at the SANS security conference last
week. I took some notes during the snort BOF. Below is a consolidated
list of what some snorters thought would be some good features for
snort version 2.0. No doubt I did not catch all the good ideas in
these notes. Anyone else that was there feel free to fill in the gaps.

* Jed

SNORT BOF wish list

  * rules to handle lists of IP addresses
  * knowledge of the type of machines on the network and if 
    its vulnerable 
  * passive stack fingerprinting
  * target based IDS  (snort/nessus integration)
  * Getting snort CVE Certified
  * Interoperating with CVE and other standardized signature 
    bodies.
  * adding CSV as a database type to db plugin
  * adding severity for rules and ruleset
  * more powerful rule language
  * ability to replicate, synchronize, or use pull model 
    to populate snort databases
  * cryptographically signed timestamping (for forensics)
  * portable logger (with syslog support) Like Yen-Mings
    pico freebsd logger with syslog support. Does it already
    have syslog support Yen-Ming?.
  * A snort GUI plugin interface
  * When this rule fires collect the next X packets that are 
    part of the session that fired this alert. You can
    do this with 1.7 beta with dynamic rules.
  * The packet switchyard: A lot of plugins would like 
    to keep packets around. Park packets in different queues.
    Plugins can then reference the queues. 
  * Similarly the alert switchyard idea so you can correlate
    and have more complicated checks.
  * Integrate the Windows port into snort codebase. 



More information about the Snort-devel mailing list