Intrusion Detection Systems were very much in demand over 10 years ago. The widely known Snort IDS software is a prominent tool. Other vendors have their own implementations and you can readily buy or download thousands of rules distributed in various rule sets. Cranking up the sensitivity will then easily give you more alerts than you will ever be able process sensibly. This is the mindset that settles once they hear „IDS“ or „IPS“. We don’t think this view is still true. That’s why Victor Julien and Eric Leblond, Open Information Security Foundation, will talk about Advances in IDS and Suricata at DeepSec 2011.
You have probably heard of Suricata, the next generation intrusion detection engine. Development of Suricata started in 2008 and war first released as stable in December 2009. Past DeepSec conferences featured talks with feedback sessions where the developers asked for features wanted by the security community. Despite rumours Suricata is not a rewrite of Snort. While Suricata can parse Snort rule configurations you have additional features that you can deploy. Hardware acceleration is in the pipeline, and Victor and Eric will focus on SSL/TLS parsers and keywords and HTTP file carving. Both SSL/TLS and HTTP are widespread. Nearly every security administrator has to deal with these protocols and their data transmissions. Naturally inspection of flow containing SSL/TLS and HTTP are on top of the list of requirements (or at least on top when writing wish lists to Santa Claus).
Both Victor and Eric are active developers within the Suricata project, so you get information about this IDS tool first hand.
This talk is important for anyone wishing to improve the radar and maybe even chasing APTs or other covert and not very covert network activity.