Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 19 Oct 2004 18:03:11 +0200 (CEST)
From:      Tomas Pluskal <plusik@pohoda.cz>
To:        "Devon H. O'Dell" <dodell@sitetronics.com>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: new intrusion detection system
Message-ID:  <20041019174231.S958@localhost>
In-Reply-To: <41751ADA.40107@sitetronics.com>
References:  <20041019133439.X604@localhost> <41751ADA.40107@sitetronics.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

>
> At a first glance of this email, I thought ``An IDS based upon SpamAssassin 
> ideology? Intrusions differ too much from spam for this to be accurate!'' 
> After reading your thesis, my ideas were changed.

I agree with you that this approach for IDS cannot be as accurate as 
SpamAssassin is accurate with spam detection, because the intrusion 
detection problem is more complex and has many complications (I have also 
mentioned this in the thesis). But still this approach has its benefits.


> This work is certainly very interesting, and I encourage you to continue its 
> development. Certainly one thing that would be desirable that I did not see 
> listed in the improvements section (and many other IDS systems, such as Bro) 
> would be the ability to carry out some action (instead of pure reporting) 
> based upon behavior; this would allow for IDS as well as IPS behavior.

It is not listed in the improvements section, because it is already a part 
of the IDS - it has 6 configurable actions to invoke when the process 
score reaches defined level. It is also possible to add new actions as 
"submodules".


>
> I'm quite interested and impressed by the work you've done here. Do you have 
> any plans of setting this up as a collaborative project? Can I help you by 
> providing a place for you to do this?

I have made this public right now, and looking at the responses, I am 
thinking about starting a project. Perhaps SourceForge would be a good 
place where to start.

Looking for volunteers, of course :)

Tomas

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041019174231.S958>