Re: New Azwalaro project, is a French Open Source Nids project

Wed, 13 Sep 2006 09:26:05 -0700 

Hi Stefano,
thx for comment on this new nids project !
see below


This project is under developpement (pre alpha version) because not find
on another nids open source product easy to exte
nd,


Well, this is a pity, because working on Snort or Bro or Prelude would
have benefited the community a lot more than starting YARBIDS (Yet
Another Rule Based IDS)...
Im use snort,bro,prelude(down) and firestorm on daily and all have advantage/incovenient (and bro is not only yarbids) 


and work with very good ethereal/wireshark dissector library !


Hint: I may be wrong, but that library is painfully slow for real-time
IDS purposes on real world networks.

Maybe Martin Roesch or another Snort/Sourcefire guy can correct me on
this...
yes ethereal/wireshark dissector is not very very fast (compared to snort) but this feature is one point on this project (look home page, sorry French speakly actually) but ethereal/wireshark have very good reassembly/frag/dissector on many many many protocol ! 


  - fix uri content


What do you mean ? If it's the example on your page, I'm sorry to say
that contextual rules for protocols are already in Snort and in almost
any good commercial product...


look /azwalaro/parser.html page and pcap example ...


 - work with ssl session


You cannot, unless you disclose private keys to your IDS box. That's Not
Recommended (TM), but there's a lot of ways to do that


another nids project rejected ssl session, Azwalaro go ...


 - search on mime attachement


Any IDS worth its cost can do that.


oops, open source project NOT extract mime att and find on ...
is very hard but interisting feature on Azwalaro project


  - reduce false alert


That's the holy grail, you're welcome to join us in its search :)


look parser.html page ...

Happy to detect with Open Source Project !
Rmkml
[EMAIL PROTECTED]

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. 
------------------------------------------------------------------------

Reply via email to