File: WISHLIST

package info (click to toggle)
snort 2.3.2-3
  • links: PTS
  • area: main
  • in suites: sarge
  • size: 22,244 kB
  • ctags: 11,282
  • sloc: ansic: 70,376; sh: 4,364; makefile: 744; perl: 478; sql: 212
file content (42 lines) | stat: -rw-r--r-- 1,314 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
$Id: WISHLIST,v 1.2 2002/05/28 18:01:24 cazz Exp $

SIGNATURES 
----
* UDP & ICMP flow.  (Client = first person to talk?)
* Distance from begining of the stream
* Distance between CONTENT and to NEWLINE
* IP Ranges
* Port ranges
* SRC & DST ports not required for signatures of protocols that don't have
  ports 

PLUGINS
----
* unified IP formats (IPs are specified in the same way for every plugin)
* Better portscan detection
* coffee plugin.  (Over $X high priority alarms during off hours = 
  make big pot of coffee)
* all plugin alerts contain the following configurations
  - priority
  - classtype
  - references
  - host ranges (IP ranges, just like rules)
  - port ranges (port ranges, just like rules)

PROTOCOLS
----
* email parsing (i.e. flagging on an attachment name)
* HTTP CGI Variables (GET & POST)
* HTTP/1.1 decodes

GENERAL
----
* method to reload signatures without killing state engine
* self healing (dropping lots of packets?  drop lower priority signatures)
* regular statistic dumps
* better access to protocol stats (I.e. 70% TCP, 20% UDP, 10% ICMP)
* better access to port stats (I.e. 70% 80 , 20% 25, 10% 22)
* multithreading 
* thresholds for all alerts (signatures & plugins)
  - X sid:313 alerts from Y hosts in Z seconds 
  - X tcp overlap alerts from the same host in Y seconds