IDS mailing list archives
RE: session logging IDS
From: "Bob Walder" <bwalder () spamcop net>
Date: Tue, 31 Aug 2004 08:31:05 +0200
Technically (theoretically?) this can be done..... But just think of all the data that the IDS/IPS would need to buffer to be able to provide you with ALL session data for each session where an alert is raised. ;o) Don't forget that EVERY open session has to be tracked JUST IN CASE an alert is raised at some point - not v practical, even at 100Mbps Products like IntruShield are capable of buffering x packets before an alert is raised to try and provide some context for the alert. Cisco do something similar, but they just provide you with the context buffer (fixed size), which is actually more useful in most cases. ISS Proventia also gathers lots of data on each session tracked now so that when an alert is raised it can give you lots of interesting context data - such as the user name and password used to log in to an FTP server, for example - in addition to the item that actually triggered the alert. Some companies specialise in producing "forensic recorders" - Niksun, for example (there are others that I cannot remember off the top of my head - and I *BELIEVE* - not sure - that that is actually how NFR started life?) which are simply designed to catch huge wodges of data at wire speed. You could use those to capture ALL your traffic and let the IDS/IPS do its job - then you can HOPE that you can find the session that contains the alert your IDS/IPS found. One or two vendors are talking about integrating with such recording devices, such that they sorta "sync" their session tracking, and when an alert is raised they flag the forensic recorder to keep a particular session in its entirety - not here yet though. See our IPS report at www.nss.co.uk/ips for more info - for those who have been there before, you might be interested to know that we have dropped that annoying form you had to fill in before you got to the reports ;o) Maybe we should look at testing these forensic recorders in a group test - any vendors interested? Regards, Bob Walder The NSS Group
-----Original Message----- From: Martin Roesch [mailto:roesch () sourcefire com] Sent: 30 August 2004 20:48 To: Raj Malhotra Cc: focus-ids () securityfocus com Subject: Re: session logging IDS Do you want to log the entire session always on a specific port or between two IPs or are you looking to log the entire session if there's a detect on it? -Marty On Aug 30, 2004, at 7:17 AM, Raj Malhotra wrote:Hello all, We are evaluating available NIDS products which would workat 100 mbpsand would also do "session logging". By "session logging",we wouldwant the IDS to log the "entire session" and not just the session "after" an intrusion is detected. We saw a couple of IDS which would probably be able to do something like this, Cisco IDS Intrushield Cisco offers session logging as well as replay. Intrushield says something like "Highly customized capture of individual packet, individual session, specificsource/destination, orentire traffic stream upon attack detection" which mightbe translatedas "logging of the session only after an attack has been detected". Can anyone tell us more about these or any such IDS thatare availablewhich can log the entire session. Also, has anyone usedany of theseand with what degree of success? You can mail us back offthe list ifyou so wish so. thanks Raj-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org
Current thread:
- RE: session logging IDS Bob Walder (Aug 31)
- <Possible follow-ups>
- Re: session logging IDS Richard Bejtlich (Aug 31)
- Re: session logging IDS Tod Beardsley (Sep 01)
- Re: session logging IDS David W. Goodrum (Sep 01)
- Re: session logging IDS Stefan Keller (Sep 01)
- Re: session logging IDS Bamm Visscher (Sep 02)
- Re: session logging IDS Alex Butcher, ISC/ISYS (Sep 05)
- Re: session logging IDS Andy Cuff (Sep 06)
- RE: session logging IDS Paine, Steve (Sep 05)
- RE: session logging IDS Murtland, Jerry (Sep 14)
- RE: session logging IDS Alex Butcher, ISC/ISYS (Sep 14)
(Thread continues...)