IDS mailing list archives
Re: session logging IDS
From: Bamm Visscher <bamm.visscher () gmail com>
Date: Tue, 31 Aug 2004 09:06:54 -0500
Raj, Personally, I think you're on the right track. After running into brick walls with various IDS vendors, I stopped using the term IDS and began saying Network Security Monitoring (NSM). NSM defines a process while Intrusion Detection (aka IDS) has become a product (although I believe these so called IDSs are better defined as "Attack Detection Systems"). Richard Bejtlich [0] provided a great definition for the term NSM in his book, The Tao of Network Security Monitoring [1]: "NSM is the collection, analysis, and escalation of indications and warnings to detect and respond to intrusions." WIthin NSM, an analyst tries to bring an alert into context (Marty term), and answer relevant questions. Did the alert indeed identify a malicious attack? Was the attack successful? What was the impact on the system (and therefore the organization)? What response should be taken? How do we remediate the problem? I doubt you are going to find a single product that will provide all the information you need to fulfill these needs. Instead, you are better off using a suite of tools to collect the data, and another tool to help you manage and parse the data (which is what we are trying to do with sguil [2]). If you haven't done so already, check out Richard's book. It goes over many open source tools that may help you accomplish your goal. The foreword [3] and sample chapters [4] are available online. Bammkkkk [0] http://www.taosecurity.com [1] http://www.awprofessional.com/title/0321246772 [2] http://www.sguil.net [3] http://www.awprofessional.com/content/images/0321246772/forward/bejtlich_foreword.pdf [4] http://www.awprofessional.com/content/images/0321246772/samplechapter/bejtlich_chs.pdf On Tue, 31 Aug 2004 11:42:00 +0530, Raj Malhotra <ral.mal () gmail com> wrote:
Hi we definitely agree with david's and your observation that session logging is not the goal of an IDS. But we would like to know the events that led to a successful intrusion and not just whether an intrusion took place or not. We will not be able to formulate better policies if we are unaware of the sequence of events that leed to an intrusion. could you please suggest some tools for session logging? thanks
-- http://sguil.sf.net
Current thread:
- RE: session logging IDS Bob Walder (Aug 31)
- <Possible follow-ups>
- Re: session logging IDS Richard Bejtlich (Aug 31)
- Re: session logging IDS Tod Beardsley (Sep 01)
- Re: session logging IDS David W. Goodrum (Sep 01)
- Re: session logging IDS Stefan Keller (Sep 01)
- Re: session logging IDS Bamm Visscher (Sep 02)
- Re: session logging IDS Alex Butcher, ISC/ISYS (Sep 05)
- Re: session logging IDS Andy Cuff (Sep 06)
- RE: session logging IDS Paine, Steve (Sep 05)
- RE: session logging IDS Murtland, Jerry (Sep 14)
- RE: session logging IDS Alex Butcher, ISC/ISYS (Sep 14)
- RE: session logging IDS Bill Royds (Sep 15)
- RE: session logging IDS Prabhat Singh (Sep 15)
- RE: session logging IDS Alex Butcher, ISC/ISYS (Sep 15)
- RE: session logging IDS BĂ©noni MARTIN (Sep 15)
- RE: session logging IDS brennan stewart (Sep 16)