Re: session logging IDS
From: David W. Goodrum (dgoodrum_at_nfr.com)
Date: Mon, 30 Aug 2004 18:04:51 -0400 To: Raj Malhotra <email@example.com>
Hmmmm, I would like verification that either Cisco or Intrushield (or
any other IDS/IPS) can actually capture an entire session from beginning
to end, when the alert was triggered somewhere in the middle, and that
they can do it all the time. Most Network IDS & IPS systems can capture
the offending packet. Many can capture the offending packet, PLUS the
rest of the session (which is what we at NFR do). I haven't seen any
that can guarantee capturing the entire session from beginning to end,
unless they were capturing EVERY session (regardless of whether
something bad happened in that session). Here's an example:
I login via ftp. I stay logged in for 10 minutes, browsing around,
downloading some large benign files, but doing nothing bad. Then, I try
to get /etc/password. Boom I trigger an alert. 10 minutes of packets
are long gone... potentially many, MANY MegaBytes of data have passed
during a single session. On a gigabit network, 10 minutes is an
EXTREMELY long time. Unless your IDS or IPS is recording EVERY SINGLE
packet for great lengths of time, to a hard disk somewhere, it will be
all but impossible to go back in time and recreate the full session from
beginning to end. Starting recording from triggertime is easy, and I
believe a lot of IDS and IPS systems do this.
Having said that, it IS possible to use some third party utility to do
something similar to what you want, but even then there's still no
guarantee: TCP sessions can stay open for hours and hours if necessary.
For example, I can setup a box to do nothing but run tcpdump on the same
wire I am doing IDS/IPS on, with a huge hard drive. Let's say a 128GB
drive. If I'm monitoring a fully saturated 100Mbps, I will fill up that
hard drive in just under 3 hours. I can easily keep a session open for
3 hours before doing something... "bad". Plus, as network speeds
increase, you will not be able to write your raw network data to that
hard drive fast enough (or read it fast enough if alert rates are high.
David W. Goodrum
Senior Systems Engineer
NFR Security, Intrusion Detection & Prevention
Raj Malhotra wrote:
>We are evaluating available NIDS products which would work at 100 mbps
>and would also do "session logging". By "session logging", we would
>want the IDS to log the "entire session" and not just the session
>"after" an intrusion is detected.
>We saw a couple of IDS which would probably be able to do something like this,
>Cisco offers session logging as well as replay.
>Intrushield says something like "Highly customized capture of
>individual packet, individual session, specific source/destination, or
>entire traffic stream upon attack detection" which might be translated
>as "logging of the session only after an attack has been detected".
>Can anyone tell us more about these or any such IDS that are available
>which can log the entire session.
> Also, has anyone used any of these and with what degree of success?
>You can mail us back off the list if you so wish so.