IDS mailing list archives
Re: session logging IDS
From: Tod Beardsley <todb () planb-security net>
Date: Tue, 31 Aug 2004 09:37:49 -0500
Raj Malhotra wrote:
we definitely agree with david's and your observation that session logging is not the goal of an IDS. [...] could you please suggest some
> tools for session logging?So, basically, you'd like to record all network traffic, since you will never know if an attack will take place during a given time period.
At that point, it comes down to merely logging everything with a device that can keep up with your throughput requirements and have enough storage to retain whatever time slice you need. As David intimated, no IDS/IPS product will do this.
I'm sure you could rig up a tcpdump solution with regular log rotations. If you're not concerned with data content, and just want to watch traffic patterns, the US Navy's Shadow[1] is worth looking into.
You might also want to peruse the Honeynet Project[2]; if you deploy a device that sees no legitimate traffic, then deciding what to log becomes a lot easier, as nearly all traffic flowing to/from the honeypot device is suspicious.
[1] Shadow Documentation: http://www.nswc.navy.mil/ISSEC/CID/Install3-MS.htm [2] Honeynet Project Home Page: http://www.honeynet.org/tools/index.html -- Tod Beardsley | www.planb-security.net
Current thread:
- RE: session logging IDS Bob Walder (Aug 31)
- <Possible follow-ups>
- Re: session logging IDS Richard Bejtlich (Aug 31)
- Re: session logging IDS Tod Beardsley (Sep 01)
- Re: session logging IDS David W. Goodrum (Sep 01)
- Re: session logging IDS Stefan Keller (Sep 01)
- Re: session logging IDS Bamm Visscher (Sep 02)
- Re: session logging IDS Alex Butcher, ISC/ISYS (Sep 05)
- Re: session logging IDS Andy Cuff (Sep 06)
- RE: session logging IDS Paine, Steve (Sep 05)
- RE: session logging IDS Murtland, Jerry (Sep 14)
- RE: session logging IDS Alex Butcher, ISC/ISYS (Sep 14)
- RE: session logging IDS Bill Royds (Sep 15)
- RE: session logging IDS Prabhat Singh (Sep 15)
(Thread continues...)