Re: session logging IDS

From: Tod Beardsley (todb_at_planb-security.net)
Date: 08/31/04

  • Next message: David W. Goodrum: "Re: session logging IDS"
    Date: Tue, 31 Aug 2004 09:37:49 -0500
    To: Raj Malhotra <ral.mal@gmail.com>
    
    

    Raj Malhotra wrote:

    > we definitely agree with david's and your observation that session
    > logging is not the goal of an IDS. [...] could you please suggest some
    > tools for session logging?

    So, basically, you'd like to record all network traffic, since you will
    never know if an attack will take place during a given time period.

    At that point, it comes down to merely logging everything with a device
    that can keep up with your throughput requirements and have enough
    storage to retain whatever time slice you need. As David intimated, no
    IDS/IPS product will do this.

    I'm sure you could rig up a tcpdump solution with regular log rotations.
      If you're not concerned with data content, and just want to watch
    traffic patterns, the US Navy's Shadow[1] is worth looking into.

    You might also want to peruse the Honeynet Project[2]; if you deploy a
    device that sees no legitimate traffic, then deciding what to log
    becomes a lot easier, as nearly all traffic flowing to/from the honeypot
    device is suspicious.

    [1] Shadow Documentation: http://www.nswc.navy.mil/ISSEC/CID/Install3-MS.htm

    [2] Honeynet Project Home Page:
    http://www.honeynet.org/tools/index.html

    -- 
    Tod Beardsley | www.planb-security.net
    

  • Next message: David W. Goodrum: "Re: session logging IDS"