Following items are available only in piwi-0-9 branch :
  - use of libpreludeDB instead of direct DB access to make DB changes easiest

Features :

  - Attacker details : via command-line tools or perl modules (nmap, whois, ...)

  - Top attacks for TCP, UDP, ICMP (level 4) by Port/Type

  - User profiles with rights management / auth : (started)
      . each user has its own filters
      . many more to come (if you have some ideas ...)

  - daily/monthly/whatever statistics (number and distribution of attacks) => Daniel Polombo (from ML, 10/2002)    started
  - In AlertDetails, make every http and mail link clickable => Vincent Glaume (prelude IRC chan)
  - LML ruleset editor, beeing able to build a .rules file from scratch (me)
  - service discovery with on the fly filter creation via NMAP (me)

Coding :
  - better checking of user inputs to improve security and avoid code injection
  - better/cleaner code that would also work under Apache::Registry (cgi and Apache::PerlRun only for now)
  - cache name resolutions to speed things a bit (girona's idea)
  - better documentation. with a FAQ as questions arrive. switch to another fmt

============================================================================

Alert Annotation :

<mboman> first off, there would be a need of supporting analyst-given scored..
<mboman> or catagorization
<mboman> a simple 10 catagory where analysts can file the alerts is needed to start with..
<LeRoutier> oh, alert score, not the existing attacker score crap
<mboman> the catagories are: root/admin account compromise, user account compromise, attempted account compromise, misusage of service, attempted missusage 

of service, denial of service, poor security ot policy violation, reconnaissance, virus activity and finally No Action (ie: false positive, or access 

authorized)
<mboman> LeRoutier: well, it is a attacker scoring.
<mboman> i'll come to that ;)
<mboman> anyway, based on previous analyst-catagorization of alerts we can determen if the particular IP/net is hostile
<mboman> just relying on raw data is not enuff, becuase then our office would be the main attacker to our servers as we login to them, mostly as root..
<mboman> so there is a need to verify and classify the raw alerts for what they really accomplished
<LeRoutier> mboman: depends on your NIDS policy : catch everything including crap (attacks on products you don't own like IIS when you have apache) or catch 

only attacks related to services/ports/applications runnings
<mboman> this is especially important when you don't delete alerts (we never delete any alerts for tracking purposes)
<LeRoutier> you surelly have a big fat prelude DB so
<mboman> well, in the end I want to have all rules enabled, even if the IIS attacks against Apache, as it is compromise efforts - not very good ones but 

still..
<mboman> it is the 'ip is up to no good' rating ;)
<LeRoutier> true, you really need a way to mark alerts as false positive if you use the catch all policy
<mboman> a IIS unicode exploit against apache, or a patched IIS is still a attempted account compromise.. attempted as it failed, but still the attack is 

really real..
<mboman> which increases the 'ip is up to no good' score
<mboman> togeather with Nessus data you can (and we will) have a system that automaticly "removes" the attacks that are not working, a'la IIS against Apache
<mboman> when I say "remove" i mean that the analysts will never see the attacks, but the score is increasing..
<mboman> also, based on previous catagorisations it can learn how things are handled..
<mboman> like with robots.txt access..
<mboman> after a while the system should learn what access you are ignoring (ie: search engines) and what is treated as reconnence.

<yoann> il faut que tu utilise le champ additional data, avec un champ "meaning" que tu reconnaisse
<yoann> apres dans le champ, tu update a chaque commentaire
<yoann>  
<yoann> genre comme le BTS :
<yoann> Posted by <login> <realname> <heure GMT>:
<yoann> commentaire

============================================================================

HeartBeat :

<yoann> - detection automatique du Delta
<LeRoutier> ah, envlever le 3600s cod en dr
<yoann> que tu dois avoir la possibilit? de configurer le delta dans la config, mais que par defaut, toi tu detecte

============================================================================

