Wednesday, March 03, 2004

Shoki News

I have not yet tried the Shoki open source intrusion detection system, but I have been in contact with its author, Stephen Berry. I asked if he planned to augment Shoki to allow logging to a flat text file, and Stephen added the feature in the latest interim release of shoki (shoki-0.3.0.1078134186). I also asked him about forthcoming releases:

"All of the interim releases are the result of me merging the stuff in my development tree with the stuff in my release tree. Once that's all done (Real Soon Now), I'll release that as the `official' 0.3.0 release.

After that, I'm planning on incorporating a bunch of other stuff that I've been working on: a formal grammar for linking events (i.e., signature matches), vulnerabilities (i.e., things found in Nessus reports), doctrines (those funny things covered in Section 2.2 of the Shoki User's Manual), and threat models (which aren't currently part of shoki); and some data handling tweaks for scaling (mostly distributed analysis stuff).

I started implementing this stuff when I sat down to rewrite the shoki code (several months ago). Then I realised that it was really going to take awhile to get the new stuff into shape, and it had -already- been several months since my last update. So I decided to postpone releasing the really new, wild stuff in favour of getting the reimplemented-but-mostly-like-0.2.x stuff released.

So: 0.3.0 is intended to do more or less the same sorts of things as 0.2.x, only with the new (cleaner, faster, easier-to-use) code. After I get that out, there may be 0.3.x bugfix releases, but the next major release (which should include the distributed analysis stuff and the grammatical stuff) will -probably- be the 1.0 release."

I plan to give Shoki a try in the coming weeks.

No comments: