On 10/22/2010 07:25 AM, Michael Starks wrote:
This is the big perspective on the future of OSSEC. Think BIG! It doesn't matter if no HIDs has ever done it before. It doesn't even matter if you think it can't be done. Let's dream.
I think it would be neat to explore ways we can utilize stats for collective protection and improving the software.
With an anonymous, opt-in way to send which rules are tuned/overriden the most, which are firing anew, which IPs attack and so-on, we can get a better idea about how to tune and protect.
Having a rules update daemon/script would allow us to release new attack rules quickly and fix rules that are broken. Beta rules could be tested better.
The agent processes should be a bit difficult to kill. I don't see this as being a big protection, but it might help with simple scripted attacks that try to kill OSSEC.
System profiling and heuristic types functionality would be great. Attacks generally create activity on the system that is by definition abnormal, so the better we do at understanding what is normal, the more potential for seeing new attacks.
How about a universal decoder? Certain parts of a log can probably be recognized automatically. Something like an IP address and "user=" type of field could be automagically extracted if no other decoder matched. Then we could have simple fallback rules that do things like check if the IP is in the "bad ips" cdb list.
-- Michael Starks [I] Immutable Security http://www.immutablesecurity.com
