Hello! My name is Jonas, and I’m going to write a master thesis about NIDS at the University of Bergen. I was given the option to write my own NIDS bottom-up or to find weaknesses in an existing implementation. The task will then be to improve where the weaknesses are apparent. In weaknesses, I mean architectural weaknesses.
Do you know of any weaknesses in Suricata or maybe some new features that could be interesting to implement and write about?
to my knowledge, nobody is working on selective packet capturing of full packets/flows triggered by an alert. This can be a useful feature for both troubleshooting and understanding the traffic that fired the alert without enabling full packet capture on the sensor which can be expensive to operate on busy networks edges.
A more academic (novel) idea would to find a way to hook machine learning into suricata for anomaly detection and advanced model based security analytics on existing artifacts. I am thinking a module based approach maybe, so that new models may be implemented and tested easily.
What is the estimated time-period for a master thesis at UiB?
Check out this PR: https://github.com/OISF/suricata/pull/5291
One challenge is encrypted traffic. Features are a lot to find, I would suggest you take a look into our redmine https://redmine.openinfosecfoundation.org/ if there are any features that would fit for your research.