If you used NSM (UC Davis), ASIM (Air Force), JIDS (DISA), or NID (DOE) in the 1990s, two things you probably remember about the tools were their string matching and transcripts. Flipping through an old notebook the other day, I ran across a reference where these features were added to the code base: Jan 15, 1991.

I never bothered to publish this information in an academic publication because they didn't seem very academic-y, but they sure were useful in detecting hackers and understanding what they were doing.

I also like a couple of other "to do" bullet points here, like

Development of a distributed NSM architecture
Study techniques for stalking hackers
Advise a network security officer of corrective measures in the midst of an attack

all pretty good ideas.

The second page show how the string matches were used to increase (and decrease) warning values. This caused confusion later on and is worth its own blog post.

Click to enlarge the pages.