Re: session logging IDS

From: Richard Bejtlich (
Date: 08/31/04

  • Next message: Tod Beardsley: "Re: session logging IDS"
    Date: Tue, 31 Aug 2004 07:22:50 -0400

    Raj Malhotra wrote:

    ...we would like to know the events that led to a successful intrusion
    and not just whether an intrusion took place or not. We will not be
    able to formulate better policies if we are unaware of the sequence of
    events that leed to an intrusion.

    could you please suggest some tools for session logging?

    Consider looking at Sguil (  
    You speak of "session logging" with respect to logging packet
    contents, but we use a different term -- full content data.
    Sguil is an interface and a method to integrate the following:
    1.  Snort generates alert data ("IDS alerts")
    2.  SANCP ( logs sessions, meaning a summary of a
    conversation (src IP, src port, dst IP, dst port, protocol, time,
    packet and byte counts, TCP flags) for TCP, UDP, and ICMP
    3.  A second instance of Snort logs full content data in libpcap form
    The third item is what you call "session data."
    When you take the three types of network evidence and add in
    statistical data, you've got Network Security Monitoring. [0]
    The Sguil team agrees with your sentiments!  It's easy to evade every
    IDS ever built or that will be built.  Alert data is a helpful
    indicator of intrusion, but it's not the end of an incident
    investigation -- it's the beginning.  Often session or full content
    data is the only way to hope to have a means of detecting an advanced
    intruder or validating that an intrusion took place.

  • Next message: Tod Beardsley: "Re: session logging IDS"