On Sat, 12 Mar 2005 17:29:15 -0500, David W. Goodrum <dgoodrum@nfr.com> wrote:
First, "recording everything" is not what IDS's were EVER meant for,
IMHO. If you want to record everything try tcpdump with lots of hard
disk space. :)
It would be great if
everybody just ran tcpdump on terabyte drives, and let IPS systems stop
worrying about those things. I just don't think it's ever going to happen.
-dave
Hi Dave,
You make several good points. Remember that network audit is not
confined to full content data in libpcap format. Session (aka flows,
conversations) can often save the day when scoping an incident, and
it's immune to encryption. :) That's why I spend one chapter on
"IDSs" in my book and several others on session data, full content
data, and statistical data.
While I admit those in large bandwidth environments are not going to
easily save large amounts of full content data, whatever you can grab
helps. Even in large bandwidth environments session data can be
fairly easily recorded. Statistical data is even easier.
Starting ten years ago in the Air Force we used ASIM to collect select
full content data and all session data, and generated alerts
independent of those records. People using Sguil today are doing the
same thing.
Sincerely,
Richard
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
