Re: Intrushield vs. ISS once more... [documentation pointer]

[Andre Ludwig <andre.ludwig () gmail com>]

last i checked on the new proventia appliances if you set log evidence
and log with raw it should send the packet data to the management
console. Thus allowing you to view the packet when you view event
details.. (so i was told)...

Other then that it will store the files in a file on the sensor (which
you then have to scp to a box with ethereal or tcpdump).

PITA, would be nice to see ISS integrate this into siteprotector allot
better.. (ala sourcefire)

makes verification of an attack a helluva allot simpler..




On Mon, 28 Feb 2005 23:29:45 +0100, Massimo <massimo.mail () quipo it> wrote:
> Hello.
>
> I use ISS product but can't find on product documentation / KB
> information on the new features mentioned.
>
> On 31/12/2004 10.16, Maynor, David (ISS Atlanta) wrote:
> > The oldest phase captured the data and wrote to the sensors disk. The
> > file was stored in a "Sniffer" format or could be configured to use
> > tcpdump format. This could eat up a lot of space and could become a
> > performance/maintenance nightmare.
> >
> > The current method in use improves the original method by allowing the
> > captures to be sent to the management console.
> Where can I find documentation on this new features (I use ISS product
> and still use the "old methods")? What ISS product can benefit this
> features? Can I have the PCAP file that triggered a specific attack. Now
> I get a big PCAP file with all the capture of all the attack detected by
> a sensor with the log packet enabled, but it can be difficoult task to
> find a packet in 10.000 packet, or more, present in the sensor.
>
> > The newest method which should be released soon has adopted a modified
> > libpcap interface. This allows an admin to ssh to a sensor and grab the
> > packets with something like tcpdump or tethereal.
> When is it planned and on which ISS product (proventia A/G/M Series,
> Linux 100 Network Sensor, Linux Gigabit Network sensor)?
>
> > The initial version of TRONS sat outside of PAM. Per Rob Graham, the
> > performance sucked. It was designed to use with less than 50 rules and
> > because it was outside of the main PAM module rule processing was
> > severely impacted.
> >
> > Luckily that version is dead and gone.
> >
> > The latest version of TRONS is integrated into PAM and has done away
> > with the originals performance problems.
> [...]
> > The actual format has changed very little. Where as before a user
> > would do something like:
> >
> >       trons.rule=alert tcp any any -> any ...
> >
> > The new version is a simple change like:
> >
> >       pam.trons.rule=alert tcp any any -> any ...
>
> Where can I find documentation for this new way of defining trons rules?
> On ISS KB I can still find a document of 2 years ago about the "classic
> trons".
>
> Is the ACE Engine and Event Propagation posssibile on this new type of
> trons event? Do you support the Thresholding features of snort in Trons?
>   (something that limit the number of event written on the DB is very
> useful not to DOS the DB and the management platform in case of worm).
>
> Best Regards,
>                         Massimo
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------