Slashdot Mirror
New Open Source Intrusion Detector Suricata Released
richrumble writes "The OISF has released the beta version of the Suricata IDS/IPS engine: The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field. This new Engine supports Multi-Threading, Automatic Protocol Detection (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB! ), Gzip Decompression, Fast IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU cards."
This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.
Sweet! What are some examples of things this does that no other solution provides?
While there is some information available on the site, it's still pretty sparse. Is this a whole framework? They refer to engine, but do they mean a detection engine or also a correlation engine? This area really needs more open source innovation, commercial solutions are ridiculously expensive for small / mid sized companies, and the only "complete" IDS option I know of for the moment is Ossim (which has extremly lacking documentation).
That is interesting to me. CUDA can easily provide parallelization of bulk mathematical operations, but it's notoriously weak with conditional logic. Are they doing a whole lot of math on the side -- perhaps with some fancy anomaly-detection algorithms that work by clustering packet attributes in multidimensional spaces, or approximate nonnegative matrix factorization, or such?
The World Wide Web is dying. Soon, we shall have only the Internet.
I thought that the "Open Source Intrusion Detector" spotted intrusions of open source software in the company. I'm sure that Microsoft would have loved to have one of those for the Windows 7 USB/DVD download tool.
Maybe I'm missing something, but as someone who has working with the techniques referenced in the parent post - I'm not sure where the funny mod came from. Both clustering packet attributes and nonnegative matrix factorizations could be used for anomaly detection. And as someone who has also worked on CUDA a good bit, I think both of those problems have solutions that fit CUDA's concurrency model.
I get the impression that the mods saw big words and assumed this was a joke about buzzwords, but in fact that's a reasonable approach to this problem.
Since the original site is slashdoted some more info can be read here
You are. Your IDS was incredibly poorly-tuned, a very common problem in IT. First guideline: turn off signatures for anything that you're not running. It makes no sense to watch your inbound traffic for Windows signatures if you run Apache on RHEL. If all you have are web servers and they do only HTTP, there's no reason to watch for SMTP.
Making the move to IPS is always tricky. You have to figure out what level of false positives you're willing to accept. If it's zero, well, you don't need an IPS. But odds are that you will come across some strange but innocuous traffic that the IPS doesn't like, and it trips a rule and blocks the traffic.
In addition, you need to get the hardware for the solution. A server-based Snort solution works well for low-bandwidth scenarios, but at most hosting providers, you need a dedicated appliance solution built on ASICs. If you like Snort, you go to Sourcefire. Otherwise, you find solutions from McAfee (Intrushield), Tipping Point, IBM, etc. They have boxes that scale into the gigabit-per-second range, with latencies under 1ms in most cases, and there are a few true-10Gbps solutions out there now. Yes, they can be quite expensive, but the low-end systems (essentially highly-tuned servers) can start at as low as a few thousand dollars.
But in any case, rule tuning is an ongoing item, and anyone that tells you that an IDS/IPS will reduce your time requirements is probably trying to get you to sign a contract. It can reduce overall time requirements by alerting you early in the attempt to compromise a system and save you all the time of recovery, but that is not a certain thing.
You can never go home again... but I guess you can shop there.