Snort mailing list archives
RE: (no subject)
From: "Beckett, Josh" <JBeckett () enviance com>
Date: Tue, 8 Oct 2002 13:38:04 -0700
Comments inline... At 02:57 PM 10/8/2002 +0000, counterping () uk2 net wrote:
I have recently been interested in also logging ALL traffic that comes in/out my network via TCPDUMP (ip headers atleast). This is really for the purpose of Forensics etc etc and would be cool to zip up and store away.
Hope you have a lot of time on your hands...not to mention that you now have the burden of proof of data integrity. This becomes quite a chore where SHADOW is involved, as you now have another set of devices to secure as well as logs and data that can possibly be tampered with, stolen, erased, lost, or crashed.
In the future I would also like to install SHADOW at some point to run these dumps for anomilies.
If you have any sizeable traffic, you need a LOT of storage and a very powerful machine to parse the logs in SHADOW.
However, the amount of data is silly !! 200 MB per HOUR !! This is far too much data to log and store away ?
This is true...now add multiple sensors for an organization with multiple sites.
My question being .... Does anyone log ALL IP Headers IN+OUT of there Networks ? Should we be doing this ? Is it a good idea to take this approach ? Any ideas suggestions would be appreciated.
Yeah, some organizations do this...but you have to be VERY paranoid about what goes in and out of your network and it is, as you mentioned, a forensics tool. SHADOW is mainly geared for catching "slow and low" attacks. [Think of an attacker trying to map your network with a single probe every 8 hours to 24 hours.] In an organization of any size this often takes multiple people with PLENTY of time to waste on pouring over mostly worthless traffic that is created due to normal network activity. You can do a lot with filtering traffic on your SHADOW sensors, but the ultimate goal is to catch "interesting" traffic. Internal to the organization this is often easier than on the external connection. Typically if you are using SHADOW, you are paranoid enough about internal and external threats, that ALL traffic in and out of the external connection is "interesting" and then your logs get large, parsing them takes time, and reviewing them takes even more time, not to mention an intimate familiarity with the network infrastructure as to be able to interpret the data. [I can't imagine who would have this much time and resources to waste....can you? ;) ] For my time and money, I'll take snort's ability to log payload in a more of an on-demand capacity...when something that _I_ say is bad is happening, then and only then do I care about the traffic and the payload within that traffic.
Little Confused Matt Y P. P.S anyone know of any TCPDUMP mailing lists ?
J- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) Abimbola Abiola (Oct 08)
- <Possible follow-ups>
- (no subject) counterping (Oct 08)
- Re: (no subject) Matt Kettler (Oct 08)
- RE: (no subject) Beckett, Josh (Oct 08)
- RE: (no subject) Beckett, Josh (Oct 08)
- (no subject) Adrienne Kotze (Oct 10)
- (no subject) Nathan Whitehouse (Oct 14)
- Re: (no subject) hackerwacker (Oct 14)
- Re: (no subject) Erek Adams (Oct 14)
- RE: (no subject) Bob Dehnhardt (Oct 14)
- (no subject) Nanabhay Mohamed * Group (GP) (Oct 16)
- (no subject) Kreimendahl, Chad J (Oct 22)
- (no subject) Ha Tu (Oct 27)
- Re: (no subject) Erek Adams (Oct 27)
(Thread continues...)