Re: session logging IDS
From: Tod Beardsley (todb_at_planb-security.net)
Date: 08/31/04
- Previous message: Richard Bejtlich: "Re: session logging IDS"
- Maybe in reply to: Bamm Visscher: "Re: session logging IDS"
- Next in thread: David W. Goodrum: "Re: session logging IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 31 Aug 2004 09:37:49 -0500 To: Raj Malhotra <ral.mal@gmail.com>
Raj Malhotra wrote:
> we definitely agree with david's and your observation that session
> logging is not the goal of an IDS. [...] could you please suggest some
> tools for session logging?
So, basically, you'd like to record all network traffic, since you will
never know if an attack will take place during a given time period.
At that point, it comes down to merely logging everything with a device
that can keep up with your throughput requirements and have enough
storage to retain whatever time slice you need. As David intimated, no
IDS/IPS product will do this.
I'm sure you could rig up a tcpdump solution with regular log rotations.
If you're not concerned with data content, and just want to watch
traffic patterns, the US Navy's Shadow[1] is worth looking into.
You might also want to peruse the Honeynet Project[2]; if you deploy a
device that sees no legitimate traffic, then deciding what to log
becomes a lot easier, as nearly all traffic flowing to/from the honeypot
device is suspicious.
[1] Shadow Documentation: http://www.nswc.navy.mil/ISSEC/CID/Install3-MS.htm
[2] Honeynet Project Home Page:
http://www.honeynet.org/tools/index.html
-- Tod Beardsley | www.planb-security.net
- Previous message: Richard Bejtlich: "Re: session logging IDS"
- Maybe in reply to: Bamm Visscher: "Re: session logging IDS"
- Next in thread: David W. Goodrum: "Re: session logging IDS"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
