Actually, check out this software. Its called Demarc/PureSecure. http://www.demarc.com/ Free for personal use, not to bad for commercial use. Its basically a nice web front end with Snort as the IDS. It relies on mysql as the data warehouse. I've been using for several months, and its been nothing short of fantastic. Thomas Kowalski, Security Compliance Officer Group Insurance Systems, Application Development Support Routing TL26C 215.761.8872 (phone) 609.254.2138 (cell) 215.761.5618 (fax) thomas.kowalskiat_private "SCIENTIA EST POTENTIA" Confidential, unpublished property of CIGNA. Do not duplicate or distribute. Use and distribution limited solely to authorized personnel. (c) Copyright 2003 (CIGNA) -----Original Message----- From: perrierorat_private [mailto:perrierorat_private] Sent: Friday, January 24, 2003 11:49 AM To: keydet89at_private Cc: forensicsat_private Subject: Re: IDS and forensics Seems to me that this is the software that you are looking for. http://www.nswc.navy.mil/ISSEC/CID/index.html its called shadow. does IDS and also logs all the packets. Seems very configurable to me. Robert Perriero Montclair State University Systems and Security Group > I'm interested in other's views of network IDS systems > when looking at incident response and forensics > activities. > > This comes up from my hands-on dealings w/ IDSs like RealSecure and > NetProwler. These systems provide alerts, but don't keep the actual > packets that initiate the alerts. I've done some research w/ > NetProwler specifically, and haven't been able to find > any explicit definition or descriptions of the alerts. > So I'll see an alert for "MS RPC portmapper small > packets", but I have no way of determining what > "small" is...and since we do a lot of DCOM on that > subnet, I'd really like to see what the actual > contents of the packet are...but can't through > NetProwler. I know I could load up snort or tcpdump, > and do captures that way, but Symantec recently > announced that it's no longer supporting NetProwler, > so... > > About a year ago I was working w/ RealSecure and had > the same issues...couldn't see what the packet > contents were, nor could I see what the actual details > of the filter were. On top of that, the ability to > create user-defined filters is extremely limited. > > What this leads to is the question of how useful such > systems are in the face of network forensics. If the > packet contents themselves aren't saved in some way, > but only used to trigger an alert, then how suitable > are such systems for forensics? To take a step back, > if the signatures themselves aren't viewable, and only > the alert, then how does the admin *really* determine > what happened? In most cases, they'd be at the mercy > of whatever info the IDS console provides. > > Thoughts? > > Carv > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. For > more information on this free incident handling, management and > tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ------------------------------------------------------------------------------ CONFIDENTIALITY NOTICE: If you have received this e-mail in error, please immediately notify the sender by e-mail at the address shown. This e-mail transmission may contain confidential information. This information is intended only for the use of the individual(s) or entity to whom it is intended even if addressed incorrectly. Please delete it from your files if you are not the intended recipient. Thank you for your compliance. Copyright (c) 2003 CIGNA ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 14:36:00 PST