RE: session logging IDS

["Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>]

--On 15 September 2004 13:25 +0530 Prabhat Singh 
<prabhat.singh () nevisnetworks com> wrote:

> The second approach proposed by Alex enables capturing history from a
> point *before* alerts are generated.
>
> However, if an attacker opened a session and left it open for a long
> time before sending the malicious content. In this case, the previous
> packets will not be present in the buffer (assuming rollover of buffers
> happened before alert generation).

Yup, good call. In time, if session-capturing NIDS becomes commonly 
deployed, we can certainly expect (clueful) attackers to start adopting 
that evasion technique.

> Another approach could be to do the flow based logging of the packets.
> Keep last n packets (or n bytes of data) of the flows sent before the
> alert generation and all packets subsequent to alert generation :-).
> And, if the flow did not generate any alert then purge the captured data
> for that flow on the flow termination. The rollover problem exists in
> this approach too, but, it guarantees that at least previous n packets
> (or n bytes) of previously transferred data is present in the history
> :-).

That's looking like it would outside the capabilities of quick shell script 
hack. ;-)

> Cheers,
>
> -PRabhat

Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------