IDS mailing list archives
Re: session logging IDS
From: Richard Bejtlich <taosecurity () gmail com>
Date: Tue, 31 Aug 2004 07:22:50 -0400
Raj Malhotra wrote: ...we would like to know the events that led to a successful intrusion and not just whether an intrusion took place or not. We will not be able to formulate better policies if we are unaware of the sequence of events that leed to an intrusion. could you please suggest some tools for session logging? -- Raj, Consider looking at Sguil (www.sguil.net). You speak of "session logging" with respect to logging packet contents, but we use a different term -- full content data. Sguil is an interface and a method to integrate the following: 1. Snort generates alert data ("IDS alerts") 2. SANCP (www.metre.net) logs sessions, meaning a summary of a conversation (src IP, src port, dst IP, dst port, protocol, time, packet and byte counts, TCP flags) for TCP, UDP, and ICMP 3. A second instance of Snort logs full content data in libpcap form The third item is what you call "session data." When you take the three types of network evidence and add in statistical data, you've got Network Security Monitoring. [0] The Sguil team agrees with your sentiments! It's easy to evade every IDS ever built or that will be built. Alert data is a helpful indicator of intrusion, but it's not the end of an incident investigation -- it's the beginning. Often session or full content data is the only way to hope to have a means of detecting an advanced intruder or validating that an intrusion took place. Sincerely, Richard http://www.taosecurity.com [0] http://www.taosecurity.com/books.html
Current thread:
- RE: session logging IDS Bob Walder (Aug 31)
- <Possible follow-ups>
- Re: session logging IDS Richard Bejtlich (Aug 31)
- Re: session logging IDS Tod Beardsley (Sep 01)
- Re: session logging IDS David W. Goodrum (Sep 01)
- Re: session logging IDS Stefan Keller (Sep 01)
- Re: session logging IDS Bamm Visscher (Sep 02)
- Re: session logging IDS Alex Butcher, ISC/ISYS (Sep 05)
- Re: session logging IDS Andy Cuff (Sep 06)
- RE: session logging IDS Paine, Steve (Sep 05)
- RE: session logging IDS Murtland, Jerry (Sep 14)
- RE: session logging IDS Alex Butcher, ISC/ISYS (Sep 14)
- RE: session logging IDS Bill Royds (Sep 15)
(Thread continues...)