Re: session logging IDS

[Richard Bejtlich <taosecurity () gmail com>]

Raj Malhotra wrote:

...we would like to know the events that led to a successful intrusion
and not just whether an intrusion took place or not. We will not be
able to formulate better policies if we are unaware of the sequence of
events that leed to an intrusion.

could you please suggest some tools for session logging? 

--

Raj,

Consider looking at Sguil (www.sguil.net).  

You speak of "session logging" with respect to logging packet
contents, but we use a different term -- full content data.

Sguil is an interface and a method to integrate the following:

1.  Snort generates alert data ("IDS alerts")
2.  SANCP (www.metre.net) logs sessions, meaning a summary of a
conversation (src IP, src port, dst IP, dst port, protocol, time,
packet and byte counts, TCP flags) for TCP, UDP, and ICMP
3.  A second instance of Snort logs full content data in libpcap form

The third item is what you call "session data."

When you take the three types of network evidence and add in
statistical data, you've got Network Security Monitoring. [0]

The Sguil team agrees with your sentiments!  It's easy to evade every
IDS ever built or that will be built.  Alert data is a helpful
indicator of intrusion, but it's not the end of an incident
investigation -- it's the beginning.  Often session or full content
data is the only way to hope to have a means of detecting an advanced
intruder or validating that an intrusion took place.

Sincerely,

Richard
http://www.taosecurity.com

[0] http://www.taosecurity.com/books.html