Regarding "psychic packet capture" (an aptly named feature):
If it's such an interesting and useful feature, one wonders why Robert
Graham hasn't simply built it yet. It's not particularly hard.
Let me take a stab:
On a medium-large network we expect to see in the neighborhood of
10kfps. Assume a mean packet size of 300 bytes, and we're occupying 150
megs of resident memory.
This of course assumes no overlap; that connections terminate
instantaneously. They don't. Assume that half the connections last a
second, half those remaining live into the next second, and decay from
there. Now we need 300 megs of resident memory to keep 50 bytes for
every active connection.
Double these numbers if you're tracking both sides of the connection.
On a network running at 10kfps a loaded sensor probably does
interesting memory management (or runs in the kernel) just to deal with
the memory latency from maintaining connection state --- not packet
contents, just connection stats --- for all those connections. Keeping
contents incurs a memory copy. Does your existing system copy raw
packets manually into DRAM after they've been DMA'd into a receive
buffer?
Can this be done? I'm sure it can (though not in those Miss Cleo Perl
scripts you're referring to): you can buy systems that will promise to
copy all packets onto DISK. Why haven't you seen it in your IDS
already?
Probably because it isn't very useful.
For instance:
A system like Lancope's (statistical anomalies) doesn't generate alerts
based on individual packets or even individual connections. It's
detecting rate shifts based on time. This is detection based on context
(useful for some things, don't get me wrong). What's the likelihood
that the forensic information you're actually looking for is contained
in the 15kB of data associated with the connection that happened to
trip a threshold?
I'd probably have to concede that the feature is more useful in
signature systems, where detection is atomic with respect to
connections. But then I'd have to ask:
How hard do you think a system like this would be to attack?
I await my smackdown from Rob Graham or Mike Frantzen or Mike
Stolarchuk or whoever...
On Dec 31, 2004, at 4:16 AM, Maynor, David (ISS Atlanta) wrote:
Lancope product called Therminator. It incorporates a process they call
"psychic packet prediction." This attempts to maintain a certain buffer
of every connection. I can't remember the number; I think 50 packets or
so. When something in that buffer causes an alarm the entire buffer is
saved so not only do you get the packets that caused the alarm, you get
a certain amount ahead and behind it. This helps with forensics
greatly.
---
Thomas H. Ptacek // Product Manager, Arbor Networks
(734) 327-0000
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
