Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: session logging IDS

from [Alex Butcher, ISC/ISYS] Network Security [Permanent Link]
Subject: RE: session logging IDS
Date: Tue, 14 Sep 2004 10:40:53 +0100


--On 13 September 2004 12:52 -0400 "Murtland, Jerry" <MurtlandJ@Grangeinsurance.com> wrote:

I'm more interested in tethereal and how you say it can go back per the
'tag' keyword.  I'd have to try it out to see how this works, but are you
saying you can go back and review packets previous from when the sniffer
was enabled?


I proposed /two/ separate solutions.

The first was to use Snort's 'tag' keyword, which will log all packets *following* the alert-generating packet from the source host or in the session for a admin-definable period *after* the alert is generated.

The second solution was to build something around tethereal; arrange for tethereal to capture to a pair of ring buffer files, rotating every n minutes (tethereal can do this part out-of-the-box, for anyone who's not familiar with it). Then use Snort flexresp or something (maybe even a new output plugin) to send a signal to tethereal's controlling process (i.e. the part that needs to be written) which makes it kill the present tethereal process, preserve the current pair of ring buffer files (thus giving at at least n minutes and at most 2n minutes capture history) and have a new tethereal process capture to a new file until it receives a second signal from snort, it runs out of disc, or some time period expires according to taste. Easy enough to DIY, but there's nothing out there right now that does it (to my knowledge). This approach has the advantage of not needing too much disc space, but being able to provide a capture history from a point *before* alerts are generated.

Jerry J. Murtland 

Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE 
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to 
learn more.
--------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Comparison Between IDS / IPS Products, Bob Walder
Next by Date:  RE: NIDS/NIPS implications on HSRP, Murtland, Jerry
Previous by Thread:  RE: session logging IDS, Murtland, Jerry
Next by Thread:  RE: session logging IDS, Bill Royds
Indexes:  [Date] [Thread] [Top] [All Lists]