I am using a product called Dragon which does record packet data. You can see the packet sizes/data sizes/ raw packet info and stuff like that. You can even re-create it into a tcpdump format to use tcpdump based forensics utilities. Snort can and will also do this. Jason ----- Original Message ----- From: "H C" <keydet89at_private> To: <forensicsat_private> Sent: Friday, January 24, 2003 9:34 AM Subject: IDS and forensics > I'm interested in other's views of network IDS systems > when looking at incident response and forensics > activities. > > This comes up from my hands-on dealings w/ IDSs like > RealSecure and NetProwler. These systems provide > alerts, but don't keep the actual packets that > initiate the alerts. I've done some research w/ > NetProwler specifically, and haven't been able to find > any explicit definition or descriptions of the alerts. > So I'll see an alert for "MS RPC portmapper small > packets", but I have no way of determining what > "small" is...and since we do a lot of DCOM on that > subnet, I'd really like to see what the actual > contents of the packet are...but can't through > NetProwler. I know I could load up snort or tcpdump, > and do captures that way, but Symantec recently > announced that it's no longer supporting NetProwler, > so... > > About a year ago I was working w/ RealSecure and had > the same issues...couldn't see what the packet > contents were, nor could I see what the actual details > of the filter were. On top of that, the ability to > create user-defined filters is extremely limited. > > What this leads to is the question of how useful such > systems are in the face of network forensics. If the > packet contents themselves aren't saved in some way, > but only used to trigger an alert, then how suitable > are such systems for forensics? To take a step back, > if the signatures themselves aren't viewable, and only > the alert, then how does the admin *really* determine > what happened? In most cases, they'd be at the mercy > of whatever info the IDS console provides. > > Thoughts? > > Carv > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 12:02:01 PST