IDS mailing list archives
Re: How to choose an IDS/FW MSS provider
From: Richard Bejtlich <taosecurity () gmail com>
Date: Sat, 12 Mar 2005 18:02:01 -0500
On Sat, 12 Mar 2005 17:29:15 -0500, David W. Goodrum <dgoodrum () nfr com> wrote:
First, "recording everything" is not what IDS's were EVER meant for, IMHO. If you want to record everything try tcpdump with lots of hard disk space. :) It would be great if everybody just ran tcpdump on terabyte drives, and let IPS systems stop worrying about those things. I just don't think it's ever going to happen. -dave
Hi Dave, You make several good points. Remember that network audit is not confined to full content data in libpcap format. Session (aka flows, conversations) can often save the day when scoping an incident, and it's immune to encryption. :) That's why I spend one chapter on "IDSs" in my book and several others on session data, full content data, and statistical data. While I admit those in large bandwidth environments are not going to easily save large amounts of full content data, whatever you can grab helps. Even in large bandwidth environments session data can be fairly easily recorded. Statistical data is even easier. Starting ten years ago in the Air Force we used ASIM to collect select full content data and all session data, and generated alerts independent of those records. People using Sguil today are doing the same thing. Sincerely, Richard -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: How to choose an IDS/FW MSS provider, (continued)
- Re: How to choose an IDS/FW MSS provider Kevin (Mar 11)
- RE: How to choose an IDS/FW MSS provider KoƧ.net (Mar 09)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- RE: How to choose an IDS/FW MSS provider Brady, Rick (Mar 10)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 11)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 14)
- Re: How to choose an IDS/FW MSS provider Stephane (Mar 10)
- RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
- Re: How to choose an IDS/FW MSS provider Adam Powers (Mar 14)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 14)
- RE: How to choose an IDS/FW MSS provider Stuart Staniford (Mar 16)
- Re: How to choose an IDS/FW MSS provider Jason (Mar 19)
- Re: How to choose an IDS/FW MSS provider David W. Goodrum (Mar 19)
- Re: How to choose an IDS/FW MSS provider Richard Bejtlich (Mar 23)
- Re: How to choose an IDS/FW MSS provider Ron Gula (Mar 24)
- RE: How to choose an IDS/FW MSS provider Chris Harrington (Mar 16)