IDS mailing list archives

Re: session logging IDS

From: Bamm Visscher <bamm.visscher () gmail com>
Date: Tue, 31 Aug 2004 09:06:54 -0500

Raj,

Personally, I think you're on the right track. After running into
brick walls with various IDS vendors, I stopped using the term IDS and
began saying Network Security Monitoring (NSM).  NSM defines a process
while Intrusion Detection (aka IDS) has become a product (although I
believe these so called IDSs are better defined as "Attack Detection
Systems").  Richard Bejtlich [0] provided a great definition for the
term NSM in his book, The Tao of Network Security Monitoring [1]: "NSM
is the collection, analysis, and escalation of indications and
warnings to detect and respond to intrusions."  WIthin NSM, an analyst
tries to bring an alert into context (Marty term), and answer relevant
questions.

Did the alert indeed identify a malicious attack?
Was the attack successful?
What was the impact on the system (and therefore the organization)?
What response should be taken?
How do we remediate the problem?

I doubt you are going to find a single product that will provide all
the information you need to fulfill these needs. Instead, you are
better off using a suite of tools to collect the data, and another
tool to help you manage and parse the data (which is what we are
trying to do with sguil [2]).

If you haven't done so already, check out Richard's book. It goes over
many open source tools that may help you accomplish your goal. The
foreword [3] and sample chapters [4] are available online.

Bammkkkk

[0] http://www.taosecurity.com
[1] http://www.awprofessional.com/title/0321246772
[2] http://www.sguil.net
[3] http://www.awprofessional.com/content/images/0321246772/forward/bejtlich_foreword.pdf
[4] http://www.awprofessional.com/content/images/0321246772/samplechapter/bejtlich_chs.pdf

On Tue, 31 Aug 2004 11:42:00 +0530, Raj Malhotra <ral.mal () gmail com> wrote:

Hi

we definitely agree with david's and your observation that session
logging is not the goal of an IDS. But we would like to know the
events that led to a successful intrusion and not just whether an
intrusion took place or not. We will not be able to formulate better
policies if we are unaware of the sequence of events that leed to an
intrusion.

could you please suggest some tools for session logging?

thanks

-- 
http://sguil.sf.net

Current thread:

RE: session logging IDS Bob Walder (Aug 31)
- <Possible follow-ups>
- Re: session logging IDS Richard Bejtlich (Aug 31)
- Re: session logging IDS Tod Beardsley (Sep 01)
- Re: session logging IDS David W. Goodrum (Sep 01)
  - Re: session logging IDS Stefan Keller (Sep 01)
- Re: session logging IDS Bamm Visscher (Sep 02)
- Re: session logging IDS Alex Butcher, ISC/ISYS (Sep 05)
  - Re: session logging IDS Andy Cuff (Sep 06)
- RE: session logging IDS Paine, Steve (Sep 05)
- RE: session logging IDS Murtland, Jerry (Sep 14)
  - RE: session logging IDS Alex Butcher, ISC/ISYS (Sep 14)
  - RE: session logging IDS Bill Royds (Sep 15)
- RE: session logging IDS Prabhat Singh (Sep 15)
  - RE: session logging IDS Alex Butcher, ISC/ISYS (Sep 15)
- RE: session logging IDS Bénoni MARTIN (Sep 15)
  - RE: session logging IDS brennan stewart (Sep 16)