--On 15 September 2004 13:25 +0530 Prabhat Singh
<prabhat.singh@nevisnetworks.com> wrote:
The second approach proposed by Alex enables capturing history from a
point *before* alerts are generated.
However, if an attacker opened a session and left it open for a long
time before sending the malicious content. In this case, the previous
packets will not be present in the buffer (assuming rollover of buffers
happened before alert generation).
Yup, good call. In time, if session-capturing NIDS becomes commonly
deployed, we can certainly expect (clueful) attackers to start adopting
that evasion technique.
Another approach could be to do the flow based logging of the packets.
Keep last n packets (or n bytes of data) of the flows sent before the
alert generation and all packets subsequent to alert generation :-).
And, if the flow did not generate any alert then purge the captured data
for that flow on the flow termination. The rollover problem exists in
this approach too, but, it guarantees that at least previous n packets
(or n bytes) of previously transferred data is present in the history
:-).
That's looking like it would outside the capabilities of quick shell script
hack. ;-)
Cheers,
-PRabhat
Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
