[Snort-devel] results of the SANS snort bof
jed at ...7...
Wed Oct 25 23:56:57 EDT 2000
FYI.. There was lots of snortage at the SANS security conference last
week. I took some notes during the snort BOF. Below is a consolidated
list of what some snorters thought would be some good features for
snort version 2.0. No doubt I did not catch all the good ideas in
these notes. Anyone else that was there feel free to fill in the gaps.
SNORT BOF wish list
* rules to handle lists of IP addresses
* knowledge of the type of machines on the network and if
* passive stack fingerprinting
* target based IDS (snort/nessus integration)
* Getting snort CVE Certified
* Interoperating with CVE and other standardized signature
* adding CSV as a database type to db plugin
* adding severity for rules and ruleset
* more powerful rule language
* ability to replicate, synchronize, or use pull model
to populate snort databases
* cryptographically signed timestamping (for forensics)
* portable logger (with syslog support) Like Yen-Mings
pico freebsd logger with syslog support. Does it already
have syslog support Yen-Ming?.
* A snort GUI plugin interface
* When this rule fires collect the next X packets that are
part of the session that fired this alert. You can
do this with 1.7 beta with dynamic rules.
* The packet switchyard: A lot of plugins would like
to keep packets around. Park packets in different queues.
Plugins can then reference the queues.
* Similarly the alert switchyard idea so you can correlate
and have more complicated checks.
* Integrate the Windows port into snort codebase.
More information about the Snort-devel