[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [RFC] programmatic IDS routing

> > So the admin would create the rule he wants, create a unique key and tell
> > the IDS what the key is and how it should react when it sees a record with
> > that key.
> Yes. What I want to do is also say that if you create your unique key a 
> certain way, you get this additional benefit of realtime alerting or 
> correlation. if you choose not to, then its treated as any other event

I agree with Steve's compromise with speed, but maybe there's no way out
of using hashes or linked lists in the general case.

What if a message is important not only for the IDS plugin but also to a
fictional 'real-time compliance reporting' plugin - both wanting to use
the key field to carry special things, and in the same event:
type=USER_ACCT msg=... key=ids-file-high,sox-fault-med,actual_key

The plug-ins would need to check if their specific identifier is present
not only in the first 4 bytes, but after every comma.

If it's desirable to support the general case, instead of putting
everything in one single 'key' field, maybe having an index just like
execve arguments:
type=USER_ACCT msg=... key[0]=ids-file-high key[1]=sox-fault-med

Still need to iterate through all keys in the worst case, but the
plugins could individually chose between having the rules hardcoded (for
speed) or configurable.

Klaus Heinrich Kiwi
Security Development - IBM Linux Technology Center

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]