Technically (theoretically?) this can be done..... But just think of all
the data that the IDS/IPS would need to buffer to be able to provide you
with ALL session data for each session where an alert is raised. ;o)
Don't forget that EVERY open session has to be tracked JUST IN CASE an
alert is raised at some point - not v practical, even at 100Mbps
Products like IntruShield are capable of buffering x packets before an
alert is raised to try and provide some context for the alert. Cisco do
something similar, but they just provide you with the context buffer
(fixed size), which is actually more useful in most cases. ISS Proventia
also gathers lots of data on each session tracked now so that when an
alert is raised it can give you lots of interesting context data - such
as the user name and password used to log in to an FTP server, for
example - in addition to the item that actually triggered the alert.
Some companies specialise in producing "forensic recorders" - Niksun,
for example (there are others that I cannot remember off the top of my
head - and I *BELIEVE* - not sure - that that is actually how NFR
started life?) which are simply designed to catch huge wodges of data at
wire speed. You could use those to capture ALL your traffic and let the
IDS/IPS do its job - then you can HOPE that you can find the session
that contains the alert your IDS/IPS found. One or two vendors are
talking about integrating with such recording devices, such that they
sorta "sync" their session tracking, and when an alert is raised they
flag the forensic recorder to keep a particular session in its entirety
- not here yet though.
See our IPS report at www.nss.co.uk/ips for more info - for those who
have been there before, you might be interested to know that we have
dropped that annoying form you had to fill in before you got to the
reports ;o)
Maybe we should look at testing these forensic recorders in a group test
- any vendors interested?
Regards,
Bob Walder
The NSS Group
-----Original Message-----
From: Martin Roesch [mailto:roesch@sourcefire.com]
Sent: 30 August 2004 20:48
To: Raj Malhotra
Cc: focus-ids@securityfocus.com
Subject: Re: session logging IDS
Do you want to log the entire session always on a specific port or
between two IPs or are you looking to log the entire session
if there's
a detect on it?
-Marty
On Aug 30, 2004, at 7:17 AM, Raj Malhotra wrote:
Hello all,
We are evaluating available NIDS products which would work
at 100 mbps
and would also do "session logging". By "session logging",
we would
want the IDS to log the "entire session" and not just the session
"after" an intrusion is detected.
We saw a couple of IDS which would probably be able to do something
like this,
Cisco IDS
Intrushield
Cisco offers session logging as well as replay.
Intrushield says something like "Highly customized capture of
individual packet, individual session, specific
source/destination, or
entire traffic stream upon attack detection" which might
be translated
as "logging of the session only after an attack has been detected".
Can anyone tell us more about these or any such IDS that
are available
which can log the entire session. Also, has anyone used
any of these
and with what degree of success? You can mail us back off
the list if
you so wish so.
thanks
Raj
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch@sourcefire.com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
