IDS mailing list archives
RE: session logging IDS
From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Tue, 14 Sep 2004 10:40:53 +0100
--On 13 September 2004 12:52 -0400 "Murtland, Jerry" <MurtlandJ () Grangeinsurance com> wrote:
I'm more interested in tethereal and how you say it can go back per the 'tag' keyword. I'd have to try it out to see how this works, but are you saying you can go back and review packets previous from when the sniffer was enabled?
I proposed /two/ separate solutions.The first was to use Snort's 'tag' keyword, which will log all packets *following* the alert-generating packet from the source host or in the session for a admin-definable period *after* the alert is generated.
The second solution was to build something around tethereal; arrange for tethereal to capture to a pair of ring buffer files, rotating every n minutes (tethereal can do this part out-of-the-box, for anyone who's not familiar with it). Then use Snort flexresp or something (maybe even a new output plugin) to send a signal to tethereal's controlling process (i.e. the part that needs to be written) which makes it kill the present tethereal process, preserve the current pair of ring buffer files (thus giving at at least n minutes and at most 2n minutes capture history) and have a new tethereal process capture to a new file until it receives a second signal from snort, it runs out of disc, or some time period expires according to taste. Easy enough to DIY, but there's nothing out there right now that does it (to my knowledge). This approach has the advantage of not needing too much disc space, but being able to provide a capture history from a point *before* alerts are generated.
Jerry J. Murtland
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- RE: session logging IDS Bob Walder (Aug 31)
- <Possible follow-ups>
- Re: session logging IDS Richard Bejtlich (Aug 31)
- Re: session logging IDS Tod Beardsley (Sep 01)
- Re: session logging IDS David W. Goodrum (Sep 01)
- Re: session logging IDS Stefan Keller (Sep 01)
- Re: session logging IDS Bamm Visscher (Sep 02)
- Re: session logging IDS Alex Butcher, ISC/ISYS (Sep 05)
- Re: session logging IDS Andy Cuff (Sep 06)
- RE: session logging IDS Paine, Steve (Sep 05)
- RE: session logging IDS Murtland, Jerry (Sep 14)
- RE: session logging IDS Alex Butcher, ISC/ISYS (Sep 14)
- RE: session logging IDS Bill Royds (Sep 15)
- RE: session logging IDS Prabhat Singh (Sep 15)
- RE: session logging IDS Alex Butcher, ISC/ISYS (Sep 15)
- RE: session logging IDS BĂ©noni MARTIN (Sep 15)
- RE: session logging IDS brennan stewart (Sep 16)