Hi, here are some improvements... And my question is does anyone know something about whether ISS plans to realize described features (when?) or not (why?). Thank you.
1. RNE's event filters. It's desired to have an ability to make filter for groups of sources, groups of destinations, groups of ports and groups of events. I.e. if I want to filter events TCP_Probe_*, UDP_Probe_*, UDP_Port_Scan from 192.168.11.12, 192.168.12.12 to 192.168.12.13, 192.168.13.13 and 192.168.12.98, now it's almost impossible to create such a rule, because each rule may contain only one source address/network, destination, destination and source ports and one event to filter. 2. Also it's desirable for RNE'e event filters to create rules with negations, i.e. when source is specified and destination is NOT specified subnet. 3. SiteProtector console filters. We can specify source destination as 'equal', 'not equal', 'between' something, and it's desirable to have ability to specify 'not between'. 4. Simple event correlation. It's desirable to have an ability to generate meta-event after some numbers of events. Because if somebody has generate 5 events of TCP_Probe_SMTP, may be, it's normal, but when more then 1000 events were generated from one source it's very suspicious. Now, even with SiteProtector Central Response, I can't generate response only if more then N of events have triggered, not only one. 5. Also for Central Response mechanism it's desired to have ability to generate response only if Event 1 AND Event 2 AND Event 3 will be triggered. Now Central Response generates response every time when Event 1 OR Event 2 OR Event 3 are triggered. Taking together 4 and 5, it's desirable for Central Response to trigger response after Event 1 happened N1 times AND Event 2 happened N2 times AND Event 3 happened N3 times and all this happened within M seconds. 6. Server Sensor. It's desirable to have ability to create filters. 7. Also, server sensor (RSV) does not support Windows Server 2003, i.e. no new signatures for Win 2003 security audit events. 8. RNE connection events. It's desirable to have an ability to specify at least TCP flags (to filter false positives because or replies from server). 9. Also, I don't know why, we can write connection events for TCP, UDP and ICMP, but can't specify rules for IP, so if I interested in TCP and UDP connections I have to write separate rules for TCP and UDP instead simply write one rule for IP. And also good feature will be ability to specify not only one destination port, but diapason or list. 10. RNE User-Defined signatures. Desirable new context - 'Email_Attachment' - pattern to search in e-mail attachment file name. 11. Central response. Two new response objects are desirable: Syslog - write event information into remote syslog server, File - write an event information into local plain-text file (it's needed for third-party correlation and analysis). --- Best regards, Sergey V. Soldatov. Information security department. tel/fax +7 095 745 89 50 tel +7 095 777 77 07 (1613) _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
