Re: session logging IDS
From: Tod Beardsley (todb_at_planb-security.net)
Date: Tue, 31 Aug 2004 09:37:49 -0500 To: Raj Malhotra <email@example.com>
Raj Malhotra wrote:
> we definitely agree with david's and your observation that session
> logging is not the goal of an IDS. [...] could you please suggest some
> tools for session logging?
So, basically, you'd like to record all network traffic, since you will
never know if an attack will take place during a given time period.
At that point, it comes down to merely logging everything with a device
that can keep up with your throughput requirements and have enough
storage to retain whatever time slice you need. As David intimated, no
IDS/IPS product will do this.
I'm sure you could rig up a tcpdump solution with regular log rotations.
If you're not concerned with data content, and just want to watch
traffic patterns, the US Navy's Shadow is worth looking into.
You might also want to peruse the Honeynet Project; if you deploy a
device that sees no legitimate traffic, then deciding what to log
becomes a lot easier, as nearly all traffic flowing to/from the honeypot
device is suspicious.
 Shadow Documentation: http://www.nswc.navy.mil/ISSEC/CID/Install3-MS.htm
 Honeynet Project Home Page:
-- Tod Beardsley | www.planb-security.net