Re: session logging IDS
From: Richard Bejtlich (taosecurity_at_gmail.com)
Date: Tue, 31 Aug 2004 07:22:50 -0400 To: firstname.lastname@example.org
Raj Malhotra wrote:
...we would like to know the events that led to a successful intrusion
and not just whether an intrusion took place or not. We will not be
able to formulate better policies if we are unaware of the sequence of
events that leed to an intrusion.
could you please suggest some tools for session logging?
-- Raj, Consider looking at Sguil (www.sguil.net). You speak of "session logging" with respect to logging packet contents, but we use a different term -- full content data. Sguil is an interface and a method to integrate the following: 1. Snort generates alert data ("IDS alerts") 2. SANCP (www.metre.net) logs sessions, meaning a summary of a conversation (src IP, src port, dst IP, dst port, protocol, time, packet and byte counts, TCP flags) for TCP, UDP, and ICMP 3. A second instance of Snort logs full content data in libpcap form The third item is what you call "session data." When you take the three types of network evidence and add in statistical data, you've got Network Security Monitoring.  The Sguil team agrees with your sentiments! It's easy to evade every IDS ever built or that will be built. Alert data is a helpful indicator of intrusion, but it's not the end of an incident investigation -- it's the beginning. Often session or full content data is the only way to hope to have a means of detecting an advanced intruder or validating that an intrusion took place. Sincerely, Richard http://www.taosecurity.com  http://www.taosecurity.com/books.html