Thread: [Secureideas-base-devel] [Fwd: RE: BASE 1.0 Release]
Brought to you by:
secureideas,
sinukas
From: Kevin J. <kjo...@se...> - 2004-12-09 01:20:41
|
Before I write back to this guy, I wanted to make sure that the last email from him didn't change anything.... It didn't for me. Kevin -----Forwarded Message----- > From: Ophir Rachman <op...@se...> > To: 'Kevin Johnson' <kjo...@se...> > Subject: RE: BASE 1.0 Release > Date: Wed, 08 Dec 2004 15:21:33 -0800 >=20 > Kevin, > Just checking if you got this email. You never know with mail filters the= se > days. Give a sign if you got it and I will be happy to see where you stan= d. > Thx, Ophir >=20 > Ophir Rachman > Securimine Software Inc. > op...@se... >=20 > -----Original Message----- > From: Ophir Rachman [mailto:op...@se...]=20 > Sent: Thursday, December 02, 2004 10:21 AM > To: 'Kevin Johnson' > Subject: RE: BASE 1.0 Release >=20 > Hi Kevin, > Thx for the quick response. All your concerns are valid so lets try to ma= ke > progress in all fronts >=20 > 1. Real time monitoring: if I had to start SFS again I would do the real > time first and later the offline reports. I think real time is what peopl= e > are looking for and therefore I suggested to do this. We can do real time= + > offline reports but it might be wise to start slow and see the feedback. >=20 > 2. BASE vs. SFS (complementary or competition): I don=E2=80=99t know what= are your > directions in BASE, but as it stands today, the capabilities are > complementary. You mentioned you are planning to move into real time > analysis too, but as far as I see, the BASE analysis are not based on dat= a > mining and behavioral modeling. This is the SFS side. If BASE is planning= to > move into the data mining and anomaly detection area then the whole thing > does not make sense. I didn=E2=80=99t think this is the direction since t= he whole > BASE architecture is not designed for that (believe me, PHP is not for da= ta > mining algorithms ...). >=20 > More than that, even if BASE will have real time monitoring of the Snort > alerts, then SFS will be another 'view' of the real time alerts. I don=E2= =80=99t see > it as a conflict.=20 >=20 > 3. Licensing: Assume SFS is an engine that has a configuration file that > looks like: > #--------------------------------------------------------- > #How many days the behavioral model represents > ModelScope 30 > #Frequency of model rebuilds (in days) > ModelRebuildFrequency 10 > #How many alerts should be viewed in the monitor > AnalysisWindow 3 > #Database connectivity specs.... > Host > Database > Schema > User > Password > #--------------------------------------------------------- >=20 > The SFS engine is an indpendant service/daemon that runs its modeling and > analysis according to this configuration file and writes the results into= a > database.=20 >=20 > Now you can consider SFS as a separate 'product' and sepearte license. Th= e > license will allow free use inside the BASE project only. If others take > BASE and modify it (like you did to ACID) they will need to disable the S= FS > component (this should be easy enough). >=20 > 4. Integration: if you consider the structure above, you need very minima= l > integration - no code sharing and it does not matter how SFS is written > (pure C BTW). The only integration is the database and the config file. S= FS > is undating a database table(s) with the real time analysis results, and = the > BASE code presents the information as part of the BASE front end.=20 >=20 >=20 > I hope this goes in the right direction, > Regards, > Ophir >=20 >=20 > Securimine Software Inc. > op...@se... > -----Original Message----- > From: Kevin Johnson [mailto:kjo...@se...]=20 > Sent: Wednesday, December 01, 2004 9:59 PM > To: op...@se... > Subject: RE: BASE 1.0 Release >=20 > Hi- >=20 > I have forwarded you email on to the other developers and we have > discussed it. Please see our responses below. >=20 > On Tue, 2004-11-30 at 21:31, Ophir Rachman wrote: > > Kevin, > >=20 > > Sorry for the time it took me - the long holidays make me slow :-) >=20 > Not a problem, I didn't expect this until later anyways. >=20 > > I saw you downloaded SFS and hopefully you had a chance to see what > > it is about. >=20 > I have not had time to install it yet. The holidays have been busy. >=20 > > I thought about the integration project quite a bit and I have a > > direction that will make the result attractive and simple. > >=20 >=20 > We have also thought about it, and we don't see it as a simple thing.=20 > It seems that the mixture of a GPL application with a closed source > application should be approached as the complex marriage that it is. >=20 > > =20 > >=20 > > Roughly speaking, SFS today is an offline tool; one has to manually > > run an analysis and wait for the results. Real time analysis will make > > it much more attractive and I think this should be the integration > > basis. > >=20 >=20 > Does this mean that you would not want to use the rest of the analysis > engine from SFS within BASE? Or that the RTA is the main thing used? >=20 > > =20 > >=20 > > Assume for example we are targeting BASE 2.0. I a sure the BASE team > > has a lot planned but from the integration perspective the feature we > > can offer is Real time behavioral analysis of alerts.=20 >=20 > I am not clear on this. If you do not currently have real time > analysis, how would we plan on adding it with out sharing code? >=20 > > Without getting into details, BASE 2.0 will have a 'Real time > > analysis' page/module that initially will be empty and will state > > something like "to enable real time analysis a Behavioral Model has to > > be created". If the user selects to do so he/she can create a model > > and from that moment on SFS will update the model and will perform the > > analysis.=20 > >=20 >=20 > Would this then replace the analysis module of BASE? >=20 > > =20 > >=20 > > On our side this is actually a lot to do: > >=20 > > - Port the engine to Linux (we will support only Windows and Linux at > > first stage) - this is not that trivial. >=20 > What language are you using to build this? This becomes important with > my questions later. >=20 > >=20 > > - Develop the real time module (far from trivial). >=20 > Real time analysis is common within IDS software. The BASE team is > planning on making BASE more of a real time engine already. How would > this be different? >=20 > >=20 > > - Probably some more that I cant think right now. > >=20 > > =20 > >=20 > > On your side as I see it the integration requires: > >=20 > > - Write the front end UI >=20 > The UI exists unless this requires a different interface then what > already exists. >=20 > >=20 > > - Integrate SFS in the BASE installation >=20 > I think this is where most of our questions revolve. BASE is a PHP > application. As such there are limited ways to tie it into another > application. PHP extensions, Apache modules, PHP code or a listener > that talks SOAP or a proprietary protocol are just a few that come to > mind. This is also important because we are a volunteer effort.=20 > Because of that we need to ensure that we understand the work effort > before agreeing to something since we need to dedicate the group. >=20 > >=20 > > - Yes, probably more here too. > >=20 >=20 > Probably quite a bit.<g> >=20 > > =20 > >=20 > > =20 > >=20 > > There are some business issues that we need to take care off: > >=20 > > - License: as I see it the best way to go is simply have a separate > > license for the SFS engine and Securimine will authorize BASE to use > > this product. >=20 > By use, does this mean we could ship it with our project. And what > about other projects, such as NST that make use of BASE within their > application? As a GPL project we can not prevent them from doing this, > we would just need to know if they could also use SFS? Also what > happens if Securimine goes out of business or decides you don't need > BASE? Do we get access to source to continue to use the version we have > at that time? Do we have a license that protects us and the users of > our system integrated with yours? >=20 > >=20 > > - SFS recognition: one of our purposes is to get recognition in the > > market. There are some things that we will ask for:=20 > >=20 > > 1. Adequate mentions in the product and online documentation >=20 > I am not sure what adequate would be. Obviously if we are using the SFS > system, we would document that we were and how the user made use of it.=20 > Would you require specific advertising and/or provide the documentation > of SFS? >=20 > >=20 > > 2. In the product have something like =E2=80=98Powered by SFS=E2=80= =99 in a good > > spot >=20 > It sounds like only the RTA would be powered by SFS? >=20 > >=20 > > 3. The real time analysis module can have BASE Look&Feel, but it > > should be obvious that this is a =E2=80=98separate module=E2=80=99 and = should have SFS > > related headers. > >=20 > > =20 > >=20 > > I am not sure about all the details (perhaps it is too much, perhaps > > it is too little) but what is dangerous for us is that SFS technology > > will be recognized as a =E2=80=98feature=E2=80=99 instead of a =E2=80= =98product/solution=E2=80=99. >=20 > It sounds like you would be a "feature" >=20 > >=20 > > =20 > >=20 > > OK, that is what I have for now, > >=20 > > Any thoughts are welcome, > >=20 > > Regards, > >=20 > > Ophir >=20 > I guess I need to explain a little more. When I first talked to you, it > sounded like the two projects could benefit each other. And I still > believe there is potential for that. What we had asked for was a > description of the technical integration between the products and what > each product would be receiving by creating this "marriage". After > reading this email and discussing it with the others, we are more > confused as to both of those questions. >=20 > First, the only feature that you talk about us integrating within BASE > doesn't exist within your product. From the docs on your site, it seems > that you have a behavioral analysis engine that would help within what > we want to make of BASE. Instead of that, you discuss creating new and > un-proven technology and somehow integrating it within our application, > that is known and proven. >=20 > Second, from your description, we as a team have no way of determining > how much work we would be giving away and even if it is possible within > the technology choices your company has made. >=20 > Third, time lines and resources are not even discussed. Not only are > you proposing a brand new technology within your application, but you > are also discussing porting the entire application to another operating > system. Does you company have the man power and money to do that or > would you be looking to our volunteer group to assist? >=20 > Fourth, and I believe most important, is what are both sides getting > from this arrangement? The way I see it, this email outlines the > following: >=20 > Securimine receives: > - Promotion within a popular and known open source application. > - A proven technology to test out your idea and prove that you > have something to sell. > - A volunteer work force to create the UI that you don't want to > create. > - Further marketing when you decide you are ready to market SFS > or a derivative as a profit center. > =20 > BASE project receives: > - Nothing >=20 > Is Securimine thinking about how to assist the BASE project? Is > funding, donated hardware or software or even man power to assist in the > work available to us? =20 >=20 > I hope that we can work these questions out, but if not, we don't > currently see how this integration makes sense. >=20 > We look forward to talking more with you, >=20 > Kevin Johnson > ------------------- > BASE Project Lead > http://sourceforge.net/projects/secureideas > http://base.secureideas.net > The next step in IDS analysis! >=20 > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.799 / Virus Database: 543 - Release Date: 11/19/2004 > =20 >=20 > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.805 / Virus Database: 547 - Release Date: 12/3/2004 > =20 >=20 |