[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

New snapshot contains experimental SkunkDB support.

To: firestorm@xxxxxxxxxxxxxxxx
Subject: New snapshot contains experimental SkunkDB support.
From: Gianni Tedesco <gianni@xxxxxxxxxxxxxxxx>
Date: Thu, 04 Dec 2003 20:39:00 +0100
Delivered-to: mailing list firestorm@scaramanga.co.uk
Mailing-list: contact firestorm-help@scaramanga.co.uk; run by ezmlm

Hi,

A new snapshot up in the usual place:
 www.scaramanga.co.uk/firestorm/firestorm-snapshot.tar.gz

Notable new code is the ability to index and query textual fields with
firecat:

 $ firecat -q generator=ipfrag -f log foo.elog
<... Lists all ip fragmentation alerts ...>

This uses the blazingly fast SkunkDB(tm) technology to do the query, so
as you would expect, performance isn't going to be an issue (obviously
it's not even measurable on the largest elog i have to hand which is
36MB).

There are three more pieces left of the indexing and querying jigsaw:

1. API changes in the parser to conform to the 'new-index-interface'
plan (see doc/new-index-interface for more info). This will mean the
ability for queries like: ip.dst=192.168.0.0/24 and tcp.dport=ftp)

2. Improved query scheduler supporting the following new features (all
of which are actuqlly almost trivial):
   o OR (aswell as AND) queries
   o Negation (ip.dst!=foo)
   o combinations of all of the above (this is the complex bit)
   o Sorting and limiting of results
   o Efficient parallelisation on SMP systems

3. Split out index creation. Create indexes in the GUI. Create, edit,
load, save and execute queries in the GUI. Lots of GUI grunt work
basically.

Aside from that I have a mounting backlog of things to get through, lots
of architectural and API changes which are grunt work. And the following
notable tasks:

 o I have a new idea for the signature engine to make it go faster.
 o Catch up on snort rule compatibility, implementing the latest stuff.
 o Go further with the full protocol decode stuff (http/smtp/etc.)
 o Lots of stuff to finish in tcpstream.
 o Move logs around over the network.
 o Support elogs and indexes up to 16EB with individual indexes up to
   2GB, and compression support etc etc...
 o Fancy stuff such as AIS, Neural Nets, Natural Language recognition.

God, that lot should bring us just about up to version 0.6.0, which, the
way im feeling right now, could be version 1.0.0 if the GUI and network
management (management of large sensor nets, key distribution, etc..) is
up to it by then :)

I may even be ready to hand over to someone else by that time if someone
wants to take it on :)

</brain_dump>

-- 
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/scaramanga.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

Attachment: signature.asc
Description: This is a digitally signed message part

Prev by Date: Understanding the Decode subsystem and Writing Decode Plugins.
Next by Date: Firestorm mailing list web archive
Previous by thread: Understanding the Decode subsystem and Writing Decode Plugins.
Next by thread: Firestorm mailing list web archive
Index(es):
- Date
- Thread