Today I installed a Qemu virtual machine with the ARM architecture. I think ARM is becoming an interesting architecture as smartphones and many home routers use it. I was interested in seeing if our OISF engine would compile and run properly on it. So far it seems really well. Compilation was without issue, all our current 800+ unittests ran successfully and it seems to run just fine so far. Too bad the virtual machine is so slow though…

Another quick update on the development of the OISF engine. Overall development is going great. Basics like signature keywords, stream reassembly, ip defragmentation are nearing completion. Unified1 + barnyard was already working for quite some time, but now we also have unified2 compatible output. I’ve tested this to work with barnyard2 and Sguil which works nicely.

We have the first versions of our new YAML based configuration format checked in, a brand new logging API, midstream pickup support in our Stream engine, native PFRING support and many other additions.

The last month has been crazy busy. Development of the engine is progressing nicely. My own role has been assigning tasks to our coders, guiding them, reviewing their work, integrating it and of course write code. We currently have nine people coding, not all full time though, and are still looking for more coders.

Progress has been made on a number of things: we have many more decoders, threading updates, a stats subsystem, stream tracking and reassembly, a L7 protocol parser framework and many more unittests. We’re working on OpenCL hardware accelaration, although we’re running into driver issues, so that may take some time before it’s usable.

So I just got back from Washington D.C. where we had our first public meeting for the OISF. I think it went very well as there were more people than expected. The attendees came from all parts from the industry & government. Overall reception was very positive and we’ve gotten many offers for help in development & testing.

Around the public meetings we had private meetings with a number of companies and I’m very happy that three of them commited to the project already:

I’ve finally given in to the hype and got an account on Twitter. I must say that so far I’m liking it more than I expected. It seems almost everyone from the infosec community is active on the service. I am updating it nearly daily about (among other things) the OISF development I’m doing.

If you’re interested follow me here: http://twitter.com/inliniac

We’re doing a public OISF meeting in DC next July. Everyone thats interested, please show up! Here is the original announcement:

We'll be having a public forum and brainstorming session in Washington
DC on July 16th, 2009! This session will be a mix of technical and
political issues.

We encourage our current and potential consortium members, potential
users and resellers, as well as future end users to attend. We very much
want to hear from all in a discussion format what is most important to
you, and what you need to have in the next iteration of IDS. The
discussion on the lists has been great, but most often even better
things come to life when a lot of smart folks are in the same room at
the same time, as we've seen at our prior brainstorming sessions.

We'll be getting quite technical, but we'll also answer any and every
question about the politics, goals, and funding sources of the
foundation. We know this is a very strange situation we have, being
funded by DHS to create open source security software.

So please plan to attend, July 16th in Washington DC, at the SRI
Building in Rosslyn:
http://www.sri.com/contact/wdc.html

If you plan to or are rather sure you'll be there please drop an email
to Matt Jonkman, we need an approximate headcount for the
catering, provided courtesy of SRI.

If you can't make this one don't worry, we are planning similar meetings
through the development cycle on the west coast and in Europe. We want
to hear every idea we can get!

I’ll be there personally, as will (most of) the rest of the team be. Look forward to meeting everyone there!

Next to creating a new IDS with the OISF project I’ve been busy lately assisting Digital Bond with their Quickdraw project. The purpose of the project is to create a passive network based event logger for SCADA networks. Digital Bond has now released a first beta of the project here. Check it out!

Next week I’ll be in Chicago, IL for a OISF team meeting. We’ll be discussing features, work flow, job applications, contractors, etc. I’ll probably update my blog from there on the progress. If you’re interested in OISF and/or you’re around there, please let me know. Maybe we can try to meet up!

The OISF is a non profit foundation and we’ve created a bylaws document to govern it that is now up for comments. See the announcement here. It’s a draft so if you have comments about it, please speak up soon so we can see if it needs to be adjusted!

One thing that excites me a lot is that it also specifies the OSS license we’re going to use: the GPLv3.

Funny how things go: not long ago I posted here that I was looking for (contract) work, today I’m posting that we’re looking for people to work for us at the OISF project :)

Anyway, have a look at Matt Jonkman’s announcement here.

If you’re interested or know someone that is, please contact us!