Re: session logging IDS

["Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>]

--On 30 August 2004 18:04 -0400 "David W. Goodrum" <dgoodrum () nfr com> wrote:

> Hmmmm, I would like verification that either Cisco or Intrushield (or any
> other IDS/IPS) can actually capture an entire session from beginning to
> end, when the alert was triggered somewhere in the middle, and that they
> can do it all the time.

That would certainly be a new feature for Cisco's offering since the last 
time I worked with it (Mid-2002).

The only other things that I've seen that are relevant are Niksun's NetVCR 
and Snort/sourcefire. At the moment, out of the box, Snort can only capture 
subsequent packets in a session or from a source host *after* the 
alert-triggering packet (using the 'tag' keyword). I'm currently extending 
ACID and FLoP to allow pcap files of tagged alerts to be downloaded from 
ACID for analysis using Ethereal or other tools.

The other thing I thought of, after being inspired by Niksun's product, was 
to arrange for tethereal to dump to a pair of files (i.e. a double buffer), 
switching every n minutes. It would then be possible to arrange for an IDS 
to send a signal to tethereal (or rather, some controlling process) when it 
generated an interesting alert, telling tethereal to preserve the previous 
dump file, and continue logging to the current one until further notice, 
giving you upto at least n minutes of reverse 'time travel'.

> -dave
>
> David W. Goodrum

Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9