RE: session logging IDS

From: brennan stewart (brennan_at_ideahamster.org)
Date: 09/16/04

  • Next message: Rob Shein: "RE: What is false alarm rate and false positive rate?"
    To: focus-ids@securityfocus.com
    Date: Thu, 16 Sep 2004 02:23:21 -0400
    
    
    

    I believe Raytheon's SilentRunner now CA Etrust Network forensics was
    the first with that kind of functionality on an enterprise level

    -b

    On Wed, 2004-09-15 at 11:52, Bénoni MARTIN wrote:
    > Etheral does not store...mmhh...I do not think so !! You can save (File /save as...) in several formats the packets sniffed by the tool. What I usual do is: lauch Ethereal after setting up some filtering rules, wait a while, then stop the capture, maybe filter again if I need so, then save the results in the format i want...
    >
    > HTH !
    >
    >
    > -----Message d'origine-----
    > De : Bill Royds [mailto:broyds@rogers.com]
    > Envoyé : mercredi 15 septembre 2004 02:18
    > À : 'Murtland, Jerry'
    > Cc : focus-ids@securityfocus.com
    > Objet : RE: session logging IDS
    >
    > Ethereal and ethereal do store the packets, but in a ring buffer file for a limited number of seconds. This limits the size of the log file but does allow you to go back up to the beginning of the buffer to get some previous history.
    > Whether it is long enough to capture all traffic of interest is a possible problem.
    >
    > -----Original Message-----
    > From: Murtland, Jerry [mailto:MurtlandJ@Grangeinsurance.com]
    > Sent: Monday, September 13, 2004 12:52 PM
    > To: 'Alex Butcher, ISC/ISYS'; David W. Goodrum; Raj Malhotra
    > Cc: focus-ids@securityfocus.com
    > Subject: RE: session logging IDS
    >
    > > Hmmmm, I would like verification that either Cisco or Intrushield (or
    > > any other IDS/IPS) can actually capture an entire session from
    > > beginning to end, when the alert was triggered somewhere in the
    > > middle, and that they can do it all the time.
    >
    > >From the way that you are stating it, it cannot be done. The IDS's sniffer must be manually started and cannot go back to the beginning of an attack to find out what happened. This can only be done if the sniffer were enabled 100% of the time, and we all know that you basically cannot do this due to logging capacity.
    >
    >
    > I'm more interested in tethereal and how you say it can go back per the 'tag' keyword. I'd have to try it out to see how this works, but are you saying you can go back and review packets previous from when the sniffer was enabled? I can't see how this could occur since packets are not stored.
    >
    >
    > Jerry J. Murtland
    >
    >
    > -----Original Message-----
    > From: Alex Butcher, ISC/ISYS [mailto:Alex.Butcher@bristol.ac.uk]
    > Sent: Thursday, September 02, 2004 4:04 AM
    > To: David W. Goodrum; Raj Malhotra
    > Cc: focus-ids@securityfocus.com
    > Subject: Re: session logging IDS
    >
    >
    >
    >
    > --On 30 August 2004 18:04 -0400 "David W. Goodrum" <dgoodrum@nfr.com> wrote:
    >
    > > Hmmmm, I would like verification that either Cisco or Intrushield (or
    > > any other IDS/IPS) can actually capture an entire session from
    > > beginning to end, when the alert was triggered somewhere in the
    > > middle, and that they can do it all the time.
    >
    > That would certainly be a new feature for Cisco's offering since the last time I worked with it (Mid-2002).
    >
    > The only other things that I've seen that are relevant are Niksun's NetVCR and Snort/sourcefire. At the moment, out of the box, Snort can only capture subsequent packets in a session or from a source host *after* the alert-triggering packet (using the 'tag' keyword). I'm currently extending ACID and FLoP to allow pcap files of tagged alerts to be downloaded from ACID for analysis using Ethereal or other tools.
    >
    > The other thing I thought of, after being inspired by Niksun's product, was to arrange for tethereal to dump to a pair of files (i.e. a double buffer), switching every n minutes. It would then be possible to arrange for an IDS to send a signal to tethereal (or rather, some controlling process) when it generated an interesting alert, telling tethereal to preserve the previous dump file, and continue logging to the current one until further notice, giving you upto at least n minutes of reverse 'time travel'.
    >
    > > -dave
    > >
    > > David W. Goodrum
    >
    > Best Regards,
    > Alex.
    > --
    > Alex Butcher: Security & Integrity, Personal Computer Systems Group
    > Information Systems and Computing GPG Key ID: F9B27DC9
    > GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
    >
    >
    > --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from CORE
    > IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
    > learn more.
    > --------------------------------------------------------------------------
    >
    >
    > --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    > --------------------------------------------------------------------------
    >
    >
    >
    >
    > --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
    > --------------------------------------------------------------------------
    >
    >

    
    



  • Next message: Rob Shein: "RE: What is false alarm rate and false positive rate?"