Re: session logging IDS

["David W. Goodrum" <dgoodrum () nfr com>]

"Events that led to an intrusion".  That doesn't necessarily imply full 
session logging.  For example, NFR can log the existence of all sessions 
on the network, which is considerably smaller than the actual session.   
A sample record looks like this  (except normally in tabled format):

Time:               30-Aug-2004 09:35:12
NFR:                home-nid
Start Time (in seconds since the epoch):1093872886
Source Address:     10.0.1.215
Source Port:        2106
Destination Address:65.202.219.131 (support.nfr.com)
Destination Port:   443
Total Bytes:        18534
Client Bytes:       5002
Server Bytes:       13532

Most Network IDS vendors will have some form of "General recording" such 
as this.

This can be very useful in determine what an attacker did leading up to 
an attack.  It won't get you the raw materials though.  If you flat need 
all the raw data, I'd recomend tcpdump.  But, like I said, tcpdump can 
be a lot of information on a fast network.  I hope you buy a big hard drive.


Raj Malhotra wrote:

> Hi
>
> we definitely agree with david's and your observation that session
> logging is not the goal of an IDS. But we would like to know the
> events that led to a successful intrusion and not just whether an
> intrusion took place or not. We will not be able to formulate better
> policies if we are unaware of the sequence of events that leed to an
> intrusion.
>
> could you please suggest some tools for session logging?
>
> thanks
>
>
> ----- Original Message -----
> From: Vijayakumar.S <vijay () nsecure net>
> Date: Tue, 31 Aug 2004 10:07:18 +0530
> Subject: Re: session logging IDS
> To: "David W. Goodrum" <dgoodrum () nfr com>, Raj Malhotra <ral.mal () gmail com>
> Cc: focus-ids () securityfocus com
>
>
> Yes, I agree with David. 
>  
> The purpose here is to detect and prevent the intrusion, that most of
> the IDSs do. There are lots of  tools available to do the session
> logging.
> Raj, if you are in the phase of testing the IDS/IPS you can test
> various other functionalities which are offered by various products
> currently in the market.
>
>
>  
>
> ----- Original Message ----- 
> From: David W. Goodrum 
> To: Raj Malhotra 
> Cc: focus-ids () securityfocus com 
> Sent: Tuesday, August 31, 2004 3:34 AM 
> Subject: Re: session logging IDS 
>
> Hmmmm, I would like verification that either Cisco or Intrushield (or 
> any other IDS/IPS) can actually capture an entire session from beginning 
> to end, when the alert was triggered somewhere in the middle, and that 
> they can do it all the time.  Most Network IDS & IPS systems can capture 
> the offending packet.  Many can capture the offending packet, PLUS the 
> rest of the session (which is what we at NFR do).  I haven't seen any 
> that can guarantee capturing the entire session from beginning to end, 
> unless they were capturing EVERY session (regardless of whether 
> something bad happened in that session).  Here's an example:
>
> I login via ftp.  I stay logged in for 10 minutes, browsing around, 
> downloading some large benign files, but doing nothing bad.  Then, I try 
> to get /etc/password.  Boom I trigger an alert.  10 minutes of packets 
> are long gone... potentially many, MANY MegaBytes of data have passed 
> during a single session.  On a gigabit network, 10 minutes is an 
> EXTREMELY long time.  Unless your IDS or IPS is recording EVERY SINGLE 
> packet for great lengths of time, to a hard disk somewhere, it will be 
> all but impossible to go back in time and recreate the full session from 
> beginning to end.  Starting recording from triggertime is easy, and I 
> believe a lot of IDS and IPS systems do this.
>
>
> Having said that, it IS possible to use some third party utility to do 
> something similar to what you want, but even then there's still no 
> guarantee: TCP sessions can stay open for hours and hours if necessary.  
> For example, I can setup a box to do nothing but run tcpdump on the same 
> wire I am doing IDS/IPS on, with a huge hard drive.  Let's say a 128GB 
> drive.  If I'm monitoring a fully saturated 100Mbps, I will fill up that 
> hard drive in just under 3 hours.  I can easily keep a session open for 
> 3 hours before doing something... "bad".  Plus, as network speeds 
> increase, you will not be able to write your raw network data to that 
> hard drive fast enough (or read it fast enough if alert rates are high.
>
> -dave
>
> David W. Goodrum
> Senior Systems Engineer
> NFR Security, Intrusion Detection & Prevention
> http://www.nfr.com
>
>
>
>
>
> Raj Malhotra wrote:
>
>  
>
> > Hello all,
> >
> > We are evaluating available NIDS products which would work at 100 mbps
> > and would also do "session logging". By "session logging", we would
> > want the IDS to log the "entire session" and not just the session
> > "after" an intrusion is detected.
> >
> > We saw a couple of IDS which would probably be able to do something like this,
> > Cisco IDS
> > Intrushield
> >
> > Cisco offers session logging as well as replay.
> > Intrushield says something like "Highly customized capture of
> > individual packet, individual session, specific source/destination, or
> > entire traffic stream upon attack detection" which might be translated
> > as "logging of the session only after an attack has been detected".
> >
> > Can anyone tell us more about these or any such IDS that are available
> > which can  log the entire session.
> > Also, has anyone used any of these and with what degree of success?
> > You can mail us back off the list if you so wish so.
> >
> > thanks
> > Raj
> >
> >
> >    

--
David W. Goodrum
Senior Systems Engineer
NFR Security
703.731.3765