I'm interested in other's views of network IDS systems when looking at incident response and forensics activities. This comes up from my hands-on dealings w/ IDSs like RealSecure and NetProwler. These systems provide alerts, but don't keep the actual packets that initiate the alerts. I've done some research w/ NetProwler specifically, and haven't been able to find any explicit definition or descriptions of the alerts. So I'll see an alert for "MS RPC portmapper small packets", but I have no way of determining what "small" is...and since we do a lot of DCOM on that subnet, I'd really like to see what the actual contents of the packet are...but can't through NetProwler. I know I could load up snort or tcpdump, and do captures that way, but Symantec recently announced that it's no longer supporting NetProwler, so... About a year ago I was working w/ RealSecure and had the same issues...couldn't see what the packet contents were, nor could I see what the actual details of the filter were. On top of that, the ability to create user-defined filters is extremely limited. What this leads to is the question of how useful such systems are in the face of network forensics. If the packet contents themselves aren't saved in some way, but only used to trigger an alert, then how suitable are such systems for forensics? To take a step back, if the signatures themselves aren't viewable, and only the alert, then how does the admin *really* determine what happened? In most cases, they'd be at the mercy of whatever info the IDS console provides. Thoughts? Carv __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 07:49:11 PST