Re: Full Packet Capture - User Requirements

[Dr Bit Bucket <drbitbucket () comcast net>]

Hi Andy,

Immediate user requirements generally don't factor into the picture. 
Intrusion Detection and Incident Response definitely do.  You might 
be able to use the data to draw some conclusions about trends and 
active services, though, and present them to users or management.

Simply using tcpdump, you have to rotate the processes every hour 
(tcpdump barfs if it runs for too long).
Here's the two types of data captures you want:

Full content: tcpdump -s 1524...
Headers: tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0 ...

Full content may be too much for all ports in most environments.  You 
may have to be very selective about the kinds of ports where you get 
your most bang for your bit.

You use the headers to narrow down what you want to look for in 
detail in the full content.  In addition, it is very useful to 
determine the scope of an attack or compromise using the headers: 
what other machines did this hostile hit, how long did they log in 
for, I see this backdoor in use from hostile A and hey, looks like a 
new hostile B is also using it too.

Retention of the headers should be a year or so, since the data 
compresses well.    Full content depends upon your network, but I've 
found that if you haven't caught an incident within 60 days, you 
probably won't catch it at all.  But then again, I've looked at 
incidents were I was searching the header data set as far back as 8 
months.

Keeping files in pcap format should be sufficient, since you can just 
use tcpdump or ethereal/tethereal to analyze the data.

Jon Repaci, GCIA, CISSP


At 1:15 PM +0100 7/16/04, Andy Cuff wrote:
> Hi,
> I was wondering whether anyone had explored the creation of The User
> Requirements for a Full Packet Capture Capability.
> Looking at things such as
> Duration of Retention separating both headers and Data
> Bandwidth issues surrounding remote collation
> Streams
> Unique Selling Points
> etc etc
> I will tackle presentation through a protocol analyser separately, though it
> is relevant in how the raw packet capture is stored.
>
> Solutions will be tackled on a separate subject heading in order to
> differentiate between the 2
>
> cheers in advance
> -andy
> Talisker Security Tools Directory
> http://www.securitywizardry.com


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------