Re: session logging IDS

[Tod Beardsley <todb () planb-security net>]

Raj Malhotra wrote:

> we definitely agree with david's and your observation that session
> logging is not the goal of an IDS.  [...] could you please suggest some
> tools for session logging?

So, basically, you'd like to record all network traffic, since you will 
never know if an attack will take place during a given time period.

At that point, it comes down to merely logging everything with a device 
that can keep up with your throughput requirements and have enough 
storage to retain whatever time slice you need. As David intimated, no 
IDS/IPS product will do this.

I'm sure you could rig up a tcpdump solution with regular log rotations. 
 If you're not concerned with data content, and just want to watch 
traffic patterns, the US Navy's Shadow[1] is worth looking into.

You might also want to peruse the Honeynet Project[2]; if you deploy a 
device that sees no legitimate traffic, then deciding what to log 
becomes a lot easier, as nearly all traffic flowing to/from the honeypot 
device is suspicious.

[1] Shadow Documentation: http://www.nswc.navy.mil/ISSEC/CID/Install3-MS.htm

[2] Honeynet Project Home Page:
http://www.honeynet.org/tools/index.html

--
Tod Beardsley | www.planb-security.net