Re: session logging IDS

["Andy Cuff" <talisker () securitywizardry com>]

Hi
Intrusion's SecureNetPro http://securitywizardry.com/N_ids.htm#SNP certainly
used to do an excellent job of Session Monitoring where each thread was
displayed separately on their Linux Console, I remember it being handy for
checking content of traffic to hotmail etc.

They don't seem to push their Linux Console very much at all, in fact their
marketing as a whole is poor, the bonus is they offer good value for money
as an IDS (IMHO).  Recently I have seen a signature for session logging,
which doesn't require an alert to fire.  Also they have Traffic Analysis
scripts that will allow you to use the IDS for NetFlow data.

What we could do with is an Intrusion employee to give us the low down on
it's session logging capabilities.

-andy cuff
Talisker's Computer Security Portal
Computer Network Defence Ltd
http://www.securitywizardry.com
----- Original Message ----- 
From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
To: "David W. Goodrum" <dgoodrum () nfr com>; "Raj Malhotra"
<ral.mal () gmail com>
Cc: <focus-ids () securityfocus com>
Sent: Thursday, September 02, 2004 9:04 AM
Subject: Re: session logging IDS


> --On 30 August 2004 18:04 -0400 "David W. Goodrum" <dgoodrum () nfr com>
wrote:
> > Hmmmm, I would like verification that either Cisco or Intrushield (or
any
> > other IDS/IPS) can actually capture an entire session from beginning to
> > end, when the alert was triggered somewhere in the middle, and that they
> > can do it all the time.
>
> That would certainly be a new feature for Cisco's offering since the last
> time I worked with it (Mid-2002).
>
> The only other things that I've seen that are relevant are Niksun's NetVCR
> and Snort/sourcefire. At the moment, out of the box, Snort can only
capture
> subsequent packets in a session or from a source host *after* the
> alert-triggering packet (using the 'tag' keyword). I'm currently extending
> ACID and FLoP to allow pcap files of tagged alerts to be downloaded from
> ACID for analysis using Ethereal or other tools.
>
> The other thing I thought of, after being inspired by Niksun's product,
was
> to arrange for tethereal to dump to a pair of files (i.e. a double
buffer),
> switching every n minutes. It would then be possible to arrange for an IDS
> to send a signal to tethereal (or rather, some controlling process) when
it
> generated an interesting alert, telling tethereal to preserve the previous
> dump file, and continue logging to the current one until further notice,
> giving you upto at least n minutes of reverse 'time travel'.
>
> > -dave
> >
> > David W. Goodrum
>
> Best Regards,
> Alex.
> -- 
> Alex Butcher: Security & Integrity, Personal Computer Systems Group
> Information Systems and Computing             GPG Key ID: F9B27DC9
> GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------