RE: (no subject)

["Beckett, Josh" <JBeckett () enviance com>]

Comments inline...


At 02:57 PM 10/8/2002 +0000, counterping () uk2 net wrote:
> I have recently been interested in also logging ALL traffic that comes 
> in/out my network via TCPDUMP (ip headers atleast). This is really for 
> the purpose of Forensics etc etc and would be cool to zip up
> and store away.

Hope you have a lot of time on your hands...not to mention that you now
have the burden of proof of data integrity.  This becomes quite a chore
where SHADOW is involved, as you now have another set of devices to
secure as well as logs and data that can possibly be tampered with,
stolen, erased, lost, or crashed.

> In the future I would also like to install SHADOW at some point to run 
> these dumps for anomilies.

If you have any sizeable traffic, you need a LOT of storage and a very
powerful machine to parse the logs in SHADOW.

> However, the amount of data is silly !! 200 MB per HOUR !! This is far 
> too
> much
> data to log and store away ?

This is true...now add multiple sensors for an organization with
multiple sites.

> My question being ....
> Does anyone log ALL IP Headers IN+OUT of there Networks ? Should we be 
> doing this ? Is it a good idea to take this approach ? Any ideas 
> suggestions would be appreciated.

Yeah, some organizations do this...but you have to be VERY paranoid
about what goes in and out of your network and it is, as you mentioned,
a forensics tool.  SHADOW is mainly geared for catching "slow and low"
attacks.  [Think of an attacker trying to map your network with a single
probe every 8 hours to 24 hours.]  In an organization of any size this
often takes multiple people with PLENTY of time to waste on pouring over
mostly worthless traffic that is created due to normal network activity.

You can do a lot with filtering traffic on your SHADOW sensors, but the
ultimate goal is to catch "interesting" traffic.  Internal to the
organization this is often easier than on the external connection.
Typically if you are using SHADOW, you are paranoid enough about
internal and external threats, that ALL traffic in and out of the
external connection is "interesting" and then your logs get large,
parsing them takes time, and reviewing them takes even more time, not to
mention an intimate familiarity with the network infrastructure as to be
able to interpret the data.  [I can't imagine who would have this much
time and resources to waste....can you? ;) ]

For my time and money, I'll take snort's ability to log payload in a
more of an on-demand capacity...when something that _I_ say is bad is
happening, then and only then do I care about the traffic and the
payload within that traffic.

> Little Confused
> Matt Y P.
>
> P.S anyone know of any TCPDUMP mailing lists ?


J-


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users