It is very configurale but has a number of drawbacks. First it uses tcpdump as it's sensor which means that it can't, easily, monitor packet payload contents. Second it uses tcpdumps syntax for it's configuration file so it's very hard to get it right, Third, it's not realtime, your console is always an hour old. Lastly, it's a diskspace hog because it stores everything on the sensor, all traffic the sensor sees it saves (by default, but it is configurable via the tcpdump file). The management station hourly downloads the sensor data and runs it thru filters to reduce it. On a small lan (~12 hosts, all web servers, and one sensor) I was getting about 512Mb a day after reduction, but it was very useful data. Tom Arseneault Security Engineer Counterpane Internet Security. "All humans are born Right-Handed...but the great ones overcome it." -----Original Message----- From: perrierorat_private [mailto:perrierorat_private] Sent: Friday, January 24, 2003 8:49 AM To: keydet89at_private Cc: forensicsat_private Subject: Re: IDS and forensics Seems to me that this is the software that you are looking for. http://www.nswc.navy.mil/ISSEC/CID/index.html its called shadow. does IDS and also logs all the packets. Seems very configurable to me. Robert Perriero Montclair State University Systems and Security Group > I'm interested in other's views of network IDS systems > when looking at incident response and forensics > activities. > > This comes up from my hands-on dealings w/ IDSs like > RealSecure and NetProwler. These systems provide > alerts, but don't keep the actual packets that > initiate the alerts. I've done some research w/ > NetProwler specifically, and haven't been able to find > any explicit definition or descriptions of the alerts. > So I'll see an alert for "MS RPC portmapper small > packets", but I have no way of determining what > "small" is...and since we do a lot of DCOM on that > subnet, I'd really like to see what the actual > contents of the packet are...but can't through > NetProwler. I know I could load up snort or tcpdump, > and do captures that way, but Symantec recently > announced that it's no longer supporting NetProwler, > so... > > About a year ago I was working w/ RealSecure and had > the same issues...couldn't see what the packet > contents were, nor could I see what the actual details > of the filter were. On top of that, the ability to > create user-defined filters is extremely limited. > > What this leads to is the question of how useful such > systems are in the face of network forensics. If the > packet contents themselves aren't saved in some way, > but only used to trigger an alert, then how suitable > are such systems for forensics? To take a step back, > if the signatures themselves aren't viewable, and only > the alert, then how does the admin *really* determine > what happened? In most cases, they'd be at the mercy > of whatever info the IDS console provides. > > Thoughts? > > Carv > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 15:08:00 PST