Re: Recording slow scans

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Stephen P. Berry, sie wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> Darren Reed <darrenr () reed wattle id au>:
>
> > How many times do people need to reinvent the wheel ? 
>
> Until there's a GPL'd wheel out there that I happen to like.  Because
> sometimes all I want is the wheel, and most vendors are car salesmen.

Well, why don't you write one for us ?  I'm sure we'd all appreciate
your time and effort spent on such a project.

[...]
> In responding I observed that I generally
> see two bottlenecks:  one in my first-order filtering;  and one during
> the analysis in the database itself.

I'm not sure that there is a bottleneck problem at the database so much as
just working with the data at an appropriate speed to get it there.

One alternative might be to (say) have a box with 5 ethernet ports on it,
1 being the data "tap" and the other 4 for syhponing data off to boxes
for processing.  For example, you might have one box dedicated to doing
TCP processing, another for UDP, another for ICMP/IGMP and another for
the remainder.

> The obvious answer (or at least the one which seems obvious to me) is
> to determine a baseline and then look for anomalies.  What remains
> an open question, however, is how to best set about doing this.

Start collecting your data!

As for how to determine the baseline and do real-time IDS with pattern
based matching, etc, a good dose of AI might be appropriate :)

Darren