Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: session logging IDS

from [Richard Bejtlich] Network Security [Permanent Link]
Subject: Re: session logging IDS
Date: Tue, 31 Aug 2004 07:22:50 -0400 
Raj Malhotra wrote:

...we would like to know the events that led to a successful intrusion
and not just whether an intrusion took place or not. We will not be
able to formulate better policies if we are unaware of the sequence of
events that leed to an intrusion.

could you please suggest some tools for session logging? 

--

Raj,

Consider looking at Sguil (www.sguil.net).  

You speak of "session logging" with respect to logging packet
contents, but we use a different term -- full content data.

Sguil is an interface and a method to integrate the following:

1.  Snort generates alert data ("IDS alerts")
2.  SANCP (www.metre.net) logs sessions, meaning a summary of a
conversation (src IP, src port, dst IP, dst port, protocol, time,
packet and byte counts, TCP flags) for TCP, UDP, and ICMP
3.  A second instance of Snort logs full content data in libpcap form

The third item is what you call "session data."

When you take the three types of network evidence and add in
statistical data, you've got Network Security Monitoring. [0]

The Sguil team agrees with your sentiments!  It's easy to evade every
IDS ever built or that will be built.  Alert data is a helpful
indicator of intrusion, but it's not the end of an incident
investigation -- it's the beginning.  Often session or full content
data is the only way to hope to have a means of detecting an advanced
intruder or validating that an intrusion took place.

Sincerely,

Richard
http://www.taosecurity.com

[0] http://www.taosecurity.com/books.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: serial-line protocols, Raj Malhotra
Next by Date:  RE: session logging IDS, Bob Walder
Previous by Thread:  Re: serial-line protocols, Raj Malhotra
Next by Thread:  RE: session logging IDS, Bob Walder
Indexes:  [Date] [Thread] [Top] [All Lists]