IDS mailing list archives
RE: session logging IDS
From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Wed, 15 Sep 2004 09:18:11 +0100
--On 15 September 2004 13:25 +0530 Prabhat Singh <prabhat.singh () nevisnetworks com> wrote:
The second approach proposed by Alex enables capturing history from a point *before* alerts are generated. However, if an attacker opened a session and left it open for a long time before sending the malicious content. In this case, the previous packets will not be present in the buffer (assuming rollover of buffers happened before alert generation).
Yup, good call. In time, if session-capturing NIDS becomes commonly deployed, we can certainly expect (clueful) attackers to start adopting that evasion technique.
Another approach could be to do the flow based logging of the packets. Keep last n packets (or n bytes of data) of the flows sent before the alert generation and all packets subsequent to alert generation :-). And, if the flow did not generate any alert then purge the captured data for that flow on the flow termination. The rollover problem exists in this approach too, but, it guarantees that at least previous n packets (or n bytes) of previously transferred data is present in the history :-).
That's looking like it would outside the capabilities of quick shell script hack. ;-)
Cheers, -PRabhat
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: session logging IDS, (continued)
- Re: session logging IDS David W. Goodrum (Sep 01)
- Re: session logging IDS Stefan Keller (Sep 01)
- Re: session logging IDS Bamm Visscher (Sep 02)
- Re: session logging IDS Alex Butcher, ISC/ISYS (Sep 05)
- Re: session logging IDS Andy Cuff (Sep 06)
- RE: session logging IDS Paine, Steve (Sep 05)
- RE: session logging IDS Murtland, Jerry (Sep 14)
- RE: session logging IDS Alex Butcher, ISC/ISYS (Sep 14)
- RE: session logging IDS Bill Royds (Sep 15)
- RE: session logging IDS Prabhat Singh (Sep 15)
- RE: session logging IDS Alex Butcher, ISC/ISYS (Sep 15)
- RE: session logging IDS BĂ©noni MARTIN (Sep 15)
- RE: session logging IDS brennan stewart (Sep 16)
- Re: session logging IDS David W. Goodrum (Sep 01)