Hi, here are some improvements...
And my question is does anyone know something about whether ISS plans to
realize described features (when?) or not (why?).
Thank you.
1. RNE's event filters. It's desired to have an ability to make
filter for groups of sources, groups of destinations, groups of ports
and groups of events. I.e. if I want to filter events TCP_Probe_*,
UDP_Probe_*, UDP_Port_Scan from 192.168.11.12, 192.168.12.12 to
192.168.12.13, 192.168.13.13 and 192.168.12.98, now it's almost
impossible to create such a rule, because each rule may contain only one
source address/network, destination, destination and source ports and
one event to filter.
2. Also it's desirable for RNE'e event filters to create rules with
negations, i.e. when source is specified and destination is NOT
specified subnet.
3. SiteProtector console filters. We can specify source destination
as 'equal', 'not equal', 'between' something, and it's desirable to have
ability to specify 'not between'.
4. Simple event correlation. It's desirable to have an ability to
generate meta-event after some numbers of events. Because if somebody
has generate 5 events of TCP_Probe_SMTP, may be, it's normal, but when
more then 1000 events were generated from one source it's very
suspicious. Now, even with SiteProtector Central Response, I can't
generate response only if more then N of events have triggered, not only
one.
5. Also for Central Response mechanism it's desired to have ability
to generate response only if Event 1 AND Event 2 AND Event 3 will be
triggered. Now Central Response generates response every time when Event
1 OR Event 2 OR Event 3 are triggered. Taking together 4 and 5, it's
desirable for Central Response to trigger response after Event 1
happened N1 times AND Event 2 happened N2 times AND Event 3 happened N3
times and all this happened within M seconds.
6. Server Sensor. It's desirable to have ability to create filters.
7. Also, server sensor (RSV) does not support Windows Server 2003,
i.e. no new signatures for Win 2003 security audit events.
8. RNE connection events. It's desirable to have an ability to
specify at least TCP flags (to filter false positives because or replies
from server).
9. Also, I don't know why, we can write connection events for TCP,
UDP and ICMP, but can't specify rules for IP, so if I interested in TCP
and UDP connections I have to write separate rules for TCP and UDP
instead simply write one rule for IP. And also good feature will be
ability to specify not only one destination port, but diapason or list.
10. RNE User-Defined signatures. Desirable new context -
'Email_Attachment' - pattern to search in e-mail attachment file name.
11. Central response. Two new response objects are desirable: Syslog
- write event information into remote syslog server, File - write an
event information into local plain-text file (it's needed for
third-party correlation and analysis).
---
Best regards, Sergey V. Soldatov.
Information security department.
tel/fax +7 095 745 89 50
tel +7 095 777 77 07 (1613)
_______________________________________________
ISSForum mailing list
ISSForum@iss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@iss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
