RE: session logging IDS

[brennan stewart <brennan () ideahamster org>]

I believe Raytheon's SilentRunner now CA Etrust Network forensics was
the first with that kind of functionality on an enterprise level

-b

On Wed, 2004-09-15 at 11:52, Bénoni MARTIN wrote:
> Etheral does not store...mmhh...I do not think so !! You can save (File /save as...) in several formats the packets 
> sniffed by the tool. What I usual do is: lauch Ethereal after setting up some filtering rules, wait a while, then 
> stop the capture, maybe filter again if I need so, then save the results in the format i want...
>
> HTH !
>  
>
> -----Message d'origine-----
> De : Bill Royds [mailto:broyds () rogers com] 
> Envoyé : mercredi 15 septembre 2004 02:18
> À : 'Murtland, Jerry'
> Cc : focus-ids () securityfocus com
> Objet : RE: session logging IDS
>
> Ethereal and ethereal do store the packets, but in a ring buffer file for a limited number of seconds. This limits 
> the size of the log file but does allow you to go back up to the beginning of the buffer to get some previous history.
> Whether it is long enough to capture all traffic of interest is a possible problem. 
>
> -----Original Message-----
> From: Murtland, Jerry [mailto:MurtlandJ () Grangeinsurance com]
> Sent: Monday, September 13, 2004 12:52 PM
> To: 'Alex Butcher, ISC/ISYS'; David W. Goodrum; Raj Malhotra
> Cc: focus-ids () securityfocus com
> Subject: RE: session logging IDS
>
> > Hmmmm, I would like verification that either Cisco or Intrushield (or 
> > any other IDS/IPS) can actually capture an entire session from 
> > beginning to end, when the alert was triggered somewhere in the 
> > middle, and that they can do it all the time.
>
> > From the way that you are stating it, it cannot be done.  The IDS's sniffer must be manually started and cannot go 
> > back to the beginning of an attack to find out what happened.  This can only be done if the sniffer were enabled 
> > 100% of the time, and we all know that you basically cannot do this due to logging capacity.
>
>
> I'm more interested in tethereal and how you say it can go back per the 'tag' keyword.  I'd have to try it out to see 
> how this works, but are you saying you can go back and review packets previous from when the sniffer was enabled?  I 
> can't see how this could occur since packets are not stored.
>
>
> Jerry J. Murtland
>
>
> -----Original Message-----
> From: Alex Butcher, ISC/ISYS [mailto:Alex.Butcher () bristol ac uk]
> Sent: Thursday, September 02, 2004 4:04 AM
> To: David W. Goodrum; Raj Malhotra
> Cc: focus-ids () securityfocus com
> Subject: Re: session logging IDS
>
>
>
>
> --On 30 August 2004 18:04 -0400 "David W. Goodrum" <dgoodrum () nfr com> wrote:
>
> > Hmmmm, I would like verification that either Cisco or Intrushield (or 
> > any other IDS/IPS) can actually capture an entire session from 
> > beginning to end, when the alert was triggered somewhere in the 
> > middle, and that they can do it all the time.
>
> That would certainly be a new feature for Cisco's offering since the last time I worked with it (Mid-2002).
>
> The only other things that I've seen that are relevant are Niksun's NetVCR and Snort/sourcefire. At the moment, out 
> of the box, Snort can only capture subsequent packets in a session or from a source host *after* the alert-triggering 
> packet (using the 'tag' keyword). I'm currently extending ACID and FLoP to allow pcap files of tagged alerts to be 
> downloaded from ACID for analysis using Ethereal or other tools.
>
> The other thing I thought of, after being inspired by Niksun's product, was to arrange for tethereal to dump to a 
> pair of files (i.e. a double buffer), switching every n minutes. It would then be possible to arrange for an IDS to 
> send a signal to tethereal (or rather, some controlling process) when it generated an interesting alert, telling 
> tethereal to preserve the previous dump file, and continue logging to the current one until further notice, giving 
> you upto at least n minutes of reverse 'time travel'.
>
> > -dave
> >
> > David W. Goodrum
>
> Best Regards,
> Alex.
> --
> Alex Butcher: Security & Integrity, Personal Computer Systems Group
> Information Systems and Computing             GPG Key ID: F9B27DC9
> GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
>
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from CORE
> IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
> learn more.
> --------------------------------------------------------------------------
>
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
> --------------------------------------------------------------------------
>
>
>
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
> --------------------------------------------------------------------------

Attachment: signature.asc
Description: This is a digitally signed message part