IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How to choose an IDS/FW MSS provider

From: Richard Bejtlich <taosecurity () gmail com>
Date: Sat, 12 Mar 2005 18:02:01 -0500
On Sat, 12 Mar 2005 17:29:15 -0500, David W. Goodrum <dgoodrum () nfr com> wrote:

First, "recording everything" is not what IDS's were EVER meant for,
IMHO.  If you want to record everything try tcpdump with lots of hard
disk space.  :)

It would be great if
everybody just ran tcpdump on terabyte drives, and let IPS systems stop
worrying about those things.  I just don't think it's ever going to happen.

-dave


Hi Dave,

You make several good points.  Remember that network audit is not
confined to full content data in libpcap format.  Session (aka flows,
conversations) can often save the day when scoping an incident, and
it's immune to encryption.  :)  That's why I spend one chapter on
"IDSs" in my book and several others on session data, full content
data, and statistical data.

While I admit those in large bandwidth environments are not going to
easily save large amounts of full content data, whatever you can grab
helps.  Even in large bandwidth environments session data can be
fairly easily recorded.  Statistical data is even easier.

Starting ten years ago in the Air Force we used ASIM to collect select
full content data and all session data, and generated alerts
independent of those records.  People using Sguil today are doing the
same thing.

Sincerely,

Richard

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: