OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] snortdb & snortnet
From: Martin Roesch (roeschhiverworld.com)
Date: Mon Mar 06 2000 - 17:17:53 CST

Yen-Ming Chen wrote:
>
> Well, actually Jed and I just had lunch together today. :)

Excellent!

> 3. We need to measure the performance for snort, snort + db, snort + db +
> net, while some people might already begin to put IPC/SHM/Thread/whatever
> support in snort.

Interesting, I've been trying to measure the performance myself for
quite some time now unsucessfully. I have some vague ideas how Snort
performs, but in general I haven't had too many complaints regarding
performance issues.

> 5. I have a 'simple' prototype of 'snortnet' here, which combines 2 FreeBSD
> boxes, they all run snort 1.6-beta9 + snortdb. One machine sends the log
> through ssh to the machine with web server, which is the web page you see.
> I don't know how scalable this prototype will be, yet. :)

Well, I'm impressed with the functionality you've achieved so far!

> 7. We're wondering whether the database can provide any help on better
> judgement of 'false alarm' or 'ambiguous rules'. I hope to find some way to
> improve the current 'signature database' we can find on the Internet.

Max would be the guy to talk to about this sort of thing. If any of you
are on the IDS mailing list, you probably saw the message I posted last
night regarding the architecture of ARMOR, so you can see from that what
we've developed as our false alarm mitigation strategy.

> 9. Both Jed and me are looking for people to work with us. :) Resumes,
> resumes, resumes... :)

I'd love to pitch in, but I'm a little busy right now... :) 

-- 
Martin Roesch                      <roeschhiverworld.com>
Director of Forensic Systems     http://www.hiverworld.com
Hiverworld, Inc.               Enterprise Network Security
Network Forensics, Intrusion Detection and Risk Assessment