Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISSForum] Re: Intrushield vs. ISS once more... [documentation pointer]

from [Massimo] Network Security [Permanent Link]
Subject: [ISSForum] Re: Intrushield vs. ISS once more... [documentation pointer]
Date: Sat, 26 Feb 2005 10:26:03 +0100 
Hello.

I use ISS product but can't find on product documentation / KB information on the new features mentioned.

On 31/12/2004 10.16, Maynor, David (ISS Atlanta) wrote:
The oldest phase captured the data and wrote to the sensors disk. The
file was stored in a "Sniffer" format or could be configured to use
tcpdump format. This could eat up a lot of space and could become a
performance/maintenance nightmare. 

The current method in use improves the original method by allowing the
captures to be sent to the management console.
Where can I find documentation on this new features (I use ISS product and still use the "old methods")? What ISS product can benefit this features? Can I have the PCAP file that triggered a specific attack (not a big PCAP file with all the capture of all the attack detected with the log packet enabled)?

The newest method which should be released soon has adopted a modified
libpcap interface. This allows an admin to ssh to a sensor and grab the
packets with something like tcpdump or tethereal.
When is it planned and on which ISS product (proventia A/G/M Series, Linux 100 Network Sensor, Linux Gigabit Network sensor)?

The initial version of TRONS sat outside of PAM. Per Rob Graham, the
performance sucked. It was designed to use with less than 50 rules and
because it was outside of the main PAM module rule processing was
severely impacted.

Luckily that version is dead and gone.

The latest version of TRONS is integrated into PAM and has done away
with the originals performance problems.
[...] 
The actual format has changed very little. Where as before a user
would do something like:

        trons.rule=alert tcp any any -> any ...

The new version is a simple change like:

pam.trons.rule=alert tcp any any -> any ...

Where can I find documentation for this new way of defining trons rules? On ISS KB I can still find a document of 2 years ago about the "classic trons".

Is the ACE Engine and Event Propagation posssibile on this new type of trons event? Do you support the Thresholding features of snort in Trons? (something that limit the number of event written on the DB is very useful not to DOS the DB and the management platform in case of worm).

Best Regards,
                        Massimo
_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISSForum] Re: Intrushield vs. ISS once more... [documentation pointer], Massimo <=
Previous by Date:  Re: High availability design of NIDS, SandroMelo-CSO
Next by Date:  Need some information on HIDS!, peng xuena
Previous by Thread:  encrypted data honeypots and IDS, John Galt
Next by Thread:  Need some information on HIDS!, peng xuena
Indexes:  [Date] [Thread] [Top] [All Lists]