Ethereal-dev: Re: [ethereal-dev] Random raw thoughts, automatic problem diagnosis
On Mon, 07 Feb 2000, Richard Sharpe wrote:
> With a packed decode engine that is decoupled from display, a la dencode as
> I proposed some time ago, and have made some progress on, one could build a
> simple expert system that could do some automatic fault diagnosis by
> looking for patterns of packets etc ...
>
Sounds kinda like an IDS... the "snort" guys are up to good things in that
area... much more flexible rule writing and responses. Go Marty!
HP calls this feature "commentators" on their Internet Advisor expert system.
Essentially rule checks triggered off decodes... that comment on network
events and critical faults observed. Which is essentially what snort tries to
do in real-time.
I would love to do something... maybe like Max Vision's arachnids database,
that is a public database of good troubleshooting heuristics... network states
that led to diagnosing a problem... so that it can be automated.and be extended
beyond simple intrusion detection to over all network health and integrity.
If anyone has any of these I would be glad to try to code them as snort rules
or ethereal output processing. So submit your problem stories/solutions here...
I'll publicly post the derived info. If I get a couple or enough to build some
critical mass, I'll build a web page for it at dursec.
The idea would be to learn from others experience and try to automate
that experience into software. Though I advise realism... there have been
a lot of people chasing this AI troubleshooter grail for quite a while now
and it's proven more elusive than anyone has liked. The magic that eludes
is the technical experience....but this is one area where the open source
model has numerous advantages in.
--
dursec.com / kyx.net - we're from the future http://www.dursec.com
learn kanga-foo from security experts: CanSecWest - April 19-21 Vancouver
Speakers: Ron Gula/NSW, Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org,
RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com