Return-Path: 
 <users-return-11900-apmail-cloudstack-users-archive=cloudstack.apache.org@cloudstack.apache.org>
X-Original-To: apmail-cloudstack-users-archive@www.apache.org
Delivered-To: apmail-cloudstack-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 371D210CC2
	for <apmail-cloudstack-users-archive@www.apache.org>;
 Thu, 21 Nov 2013 21:50:11 +0000 (UTC)
Received: (qmail 24884 invoked by uid 500); 21 Nov 2013 21:50:09 -0000
Delivered-To: apmail-cloudstack-users-archive@cloudstack.apache.org
Received: (qmail 24846 invoked by uid 500); 21 Nov 2013 21:50:09 -0000
Mailing-List: contact users-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:users@cloudstack.apache.org>
List-Id: <users.cloudstack.apache.org>
Reply-To: users@cloudstack.apache.org
Delivered-To: mailing list users@cloudstack.apache.org
Received: (qmail 24838 invoked by uid 99); 21 Nov 2013 21:50:09 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 21 Nov 2013 21:50:09 +0000
X-ASF-Spam-Status: No, hits=0.3 required=5.0
	tests=FREEMAIL_REPLY,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of ng.tuna@gmail.com designates
 74.125.83.53 as permitted sender)
Received: from [74.125.83.53] (HELO mail-ee0-f53.google.com) (74.125.83.53)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 21 Nov 2013 21:50:04 +0000
Received: by mail-ee0-f53.google.com with SMTP id b57so144337eek.26
        for <users@cloudstack.apache.org>;
 Thu, 21 Nov 2013 13:49:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=content-type:mime-version:subject:from:in-reply-to:date
         :content-transfer-encoding:message-id:references:to;
        bh=M5AFsFQlaN5GTWU2+QMbgZ6wu9p2pS1saI5c0q6Be98=;
        b=nPD2hKVcZsrBU6l4YN0VD4WM2ymbmvwRhR/tC1r0hWKFSlA7CkPfZyo+426FTcOnl+
         IAv9caXEdw0v0GdTUkrU/FNEdOmKstkZmVpet7v49quIx3cytNRWbK85IAsJdW4CKRD3
         Ko8qqMTsB6Le2nbotaHTes7gh1oO++jH4JsSICJ2LdYh8AnBdvL9Ywd/DnpBrjvQKcYm
         wEDizE9G/hDXEnRbODKlbNJPDMpofNLX4rT56si7bsO5UgY2s0s2hxr1Zvcs7SkteOhN
         EPKLDBdkUnfQJA886ODhUF/HXWejmfOLAlkc86r/bs7ABAesMbMxSdYwLzrFJRLd/Fo8
         EONw==
X-Received: by 10.14.224.132 with SMTP id x4mr11472087eep.5.1385070582924;
        Thu, 21 Nov 2013 13:49:42 -0800 (PST)
Received: from [192.168.84.30] (095-097-134-081.static.chello.nl.
 [95.97.134.81])
        by mx.google.com with ESMTPSA id
 u46sm74110931eep.17.2013.11.21.13.49.42
        for <users@cloudstack.apache.org>
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Thu, 21 Nov 2013 13:49:42 -0800 (PST)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1816\))
Subject: Re: Distributed Intrusion Detection System in Cloud Computing
From: tuna <ng.tuna@gmail.com>
In-Reply-To: 
 <CALK7tgxkgBQP7Bo+AFwY7rdOAs2RzYAAnm9b-L1u-Xm-vWwEvQ@mail.gmail.com>
Date: Fri, 22 Nov 2013 04:49:36 +0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <94939F47-A9AD-42C6-A79A-F7872E569B39@gmail.com>
References: 
 <CALK7tgznWpkMZxN5k4p9JVMSvKUyxoQyXA+BVS=i7rWWq1x43g@mail.gmail.com>
 <CALK7tgwz-2KbMP33Yf9HxkN7BbF9gkUcSJOmRtyOdrpKp=75nw@mail.gmail.com>
 <CB688D716959224C95995F52DE5E82420EBAC2AC@SINPEX01CL02.citrite.net>
 <CALK7tgxkgBQP7Bo+AFwY7rdOAs2RzYAAnm9b-L1u-Xm-vWwEvQ@mail.gmail.com>
To: users@cloudstack.apache.org
X-Mailer: Apple Mail (2.1816)
X-Virus-Checked: Checked by ClamAV on apache.org

Hi guys,

Just take a look onto Suricata. It's very nice. I took a chance to =
implement Snort as another SystemVM in CloudStack. That SystemVM worked =
well, but Snort was terrible. Will try with Suricata.

Thanks,


On Nov 21, 2013, at 23:07, Robert Bruce <precious.king123@gmail.com> =
wrote:

> Sir Santhosh,
>=20
> I am very grateful to you for your help. According to your =
recommendation,
> I have studied about Suricata and concluded that it is a much better =
NIDS
> for use in cloud environment. It is well developed and well =
documented.
>=20
> Well, actually, I want to detect distributed intrusions in cloud for =
which
> I would have to utilize the correlation module of aforementioned NIDS. =
Can
> you please guide me which would be the appropriate approach, like some
> algorithm or a set of parameters to modify the rules in Suricata.
>=20
> Thanking you in anticipation!
>=20
> Best Regards,
> Robert
>=20
>=20
> On Mon, Nov 18, 2013 at 9:58 AM, Santhosh Edukulla <
> santhosh.edukulla@citrix.com> wrote:
>=20
>> Robert,
>>=20
>> 1. Snort engine has its various limitations, unless we have =
reservations
>> to use it. Instead , we can go with Suricata.
>>=20
>> 2. Suricata is multithreaded against snort which is single threaded.
>> Performance is one big issue with snort.
>>=20
>> 3. snort works under dual license mode, controlled by its parent =
company
>> sourcefire which releases signatures after two weeks( or so ) as to
>> community releases and sometimes the releases and development =
features of
>> snort are as well controlled by them with no signatures for new and =
zero
>> day detections, In NIDS space, i heard that suricata has lot of =
support in
>> terms of signature development.
>>=20
>> 4. Snort purely works on PCRE rule parsers, the protocol state =
machine and
>> as well inline engine support for snort is relatively not advanced. =
It adds
>> lot of performance drain during its preprocessing cycle. For IPS\IDS, =
you
>> may wanted to add threat detection based not only on signatures and =
rules.
>> You may also be interested in DOS, DDOS  and various other traffic =
profile
>> and behavorial aspects of IPS. It lacks in these aspects relatively.
>>=20
>> 5. Added with it, if you wanted to add multiple IPV6 packet =
processing.
>> Snort some times eats up the heap crazily.
>>=20
>> 6. Adding a new extension to snort EX: APPID detection is equally not
>> easy. The engine structure for suricata assumably is far better to =
add new
>> plugin addition EX: APP detection at various layers.
>>=20
>> 7. If you wanted to do packet processing and detection using single =
pass,
>> then snort would not be any option, not i believe it supports. State
>> machine for snort during session based protocols was not much =
supported or
>> may require addons to support it by default. Advanced evasions, new =
app
>> threat detection in snort EX: Evading js exploits in pdf files =
relatively
>> requires new protocol and app detection. For traditional IDS,you may =
wanted
>> to consider snort, instead i would recommend suricata.
>>=20
>> Thanks!
>> Santhosh
>> ________________________________________
>> From: Robert Bruce [precious.king123@gmail.com]
>> Sent: Monday, November 18, 2013 10:18 AM
>> To: users@cloudstack.apache.org
>> Subject: Re: Distributed Intrusion Detection System in Cloud =
Computing
>>=20
>> Hello everyone!
>>=20
>> I want to develop a Signature Based Distributed Intrusion Detection =
System
>> (DIDS) to detect distributed intrusions in Cloud environment.
>> Yes, I intend to deploy it in CloudStack.
>>=20
>> I want to modify the correlation module to enhance detection =
capability
>> already being provided by Snort.
>> Can you please help me in selection of a good technique to improve
>> correlation module?
>>=20
>> Thanks and Regards,
>> Robert
>>=20