IDS mailing list archives

RE: session logging IDS

From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Tue, 14 Sep 2004 10:40:53 +0100

--On 13 September 2004 12:52 -0400 "Murtland, Jerry"<MurtlandJ () Grangeinsurance com> wrote:

I'm more interested in tethereal and how you say it can go back per the
'tag' keyword.  I'd have to try it out to see how this works, but are you
saying you can go back and review packets previous from when the sniffer
was enabled?


I proposed /two/ separate solutions.

The first was to use Snort's 'tag' keyword, which will log all packets*following* the alert-generating packet from the source host or in thesession for a admin-definable period *after* the alert is generated.

The second solution was to build something around tethereal; arrange fortethereal to capture to a pair of ring buffer files, rotating every nminutes (tethereal can do this part out-of-the-box, for anyone who's notfamiliar with it). Then use Snort flexresp or something (maybe even a newoutput plugin) to send a signal to tethereal's controlling process (i.e.the part that needs to be written) which makes it kill the presenttethereal process, preserve the current pair of ring buffer files (thusgiving at at least n minutes and at most 2n minutes capture history) andhave a new tethereal process capture to a new file until it receives asecond signal from snort, it runs out of disc, or some time period expiresaccording to taste. Easy enough to DIY, but there's nothing out there rightnow that does it (to my knowledge). This approach has the advantage of notneeding too much disc space, but being able to provide a capture historyfrom a point *before* alerts are generated.

Jerry J. Murtland


Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

Current thread:

RE: session logging IDS Bob Walder (Aug 31)
- <Possible follow-ups>
- Re: session logging IDS Richard Bejtlich (Aug 31)
- Re: session logging IDS Tod Beardsley (Sep 01)
- Re: session logging IDS David W. Goodrum (Sep 01)
  - Re: session logging IDS Stefan Keller (Sep 01)
- Re: session logging IDS Bamm Visscher (Sep 02)
- Re: session logging IDS Alex Butcher, ISC/ISYS (Sep 05)
  - Re: session logging IDS Andy Cuff (Sep 06)
- RE: session logging IDS Paine, Steve (Sep 05)
- RE: session logging IDS Murtland, Jerry (Sep 14)
  - RE: session logging IDS Alex Butcher, ISC/ISYS (Sep 14)
  - RE: session logging IDS Bill Royds (Sep 15)
- RE: session logging IDS Prabhat Singh (Sep 15)
  - RE: session logging IDS Alex Butcher, ISC/ISYS (Sep 15)
- RE: session logging IDS Bénoni MARTIN (Sep 15)
  - RE: session logging IDS brennan stewart (Sep 16)