Think of it as any other log that you have and their value to you. Win Sec Event Logs don't capture ALL of the information. Most logs don't. In addition, due to hardware requirements to capture and save all packets would be cost prohibitive. For instance, on my IDS I could receive say 500 alerts per day across 200 servers (informational as well as Hi, med, lo alerts). Now capture the associated packets and I've got some serous issues with storage. Most of which I will never look at in great detail. Not that I might not necessarily want to however, I just don't have the resources. So as in any good network investigation you're going to have to do some log correlation and research. Forensics is a PROCESS of colleting, analyzing and preserving evidence. Your EVIDENCE is the logs (whether sec.evt, syslog, sulog, IDS logs, firewall, etc.) So your question about whether IDS is forensically valuable is a little off, IMHO. ALL good logs are valuable EVIDENCE and I consider IDS a good log providing it is tuned properly and configured properly. It correlates events from a number of areas and centralizes them. I don't need a packet necessarily for a forensic investigation. If the log logs the IP addresses and other relevant information I can rely on the signature definition for the IDS Vendor for support in court. To get a little off topic, if I start describing packets and their contents in court, I'll lose my audience. You have to keep it simple because the audience is not normally technical. By describing the ids signatures and showing how it is similar to say virus signatures in how they are picked up that is familiar to many and they can identify with it. If something serious is happening, by all means, turn the sniffer on and start dumping your packets. If you have questions regarding what exactly an IDS signature means and the parameters for the alarm, call your IDS. They should have given you documentation (RTFM), and if that is not clear call them. That's what you pay them for. > -----Original Message----- > From: H C [mailto:keydet89at_private] > Sent: Friday, January 24, 2003 10:34 AM > To: forensicsat_private > Subject: IDS and forensics > > > I'm interested in other's views of network IDS systems > when looking at incident response and forensics > activities. > > This comes up from my hands-on dealings w/ IDSs like > RealSecure and NetProwler. These systems provide > alerts, but don't keep the actual packets that > initiate the alerts. I've done some research w/ > NetProwler specifically, and haven't been able to find > any explicit definition or descriptions of the alerts. > So I'll see an alert for "MS RPC portmapper small > packets", but I have no way of determining what > "small" is...and since we do a lot of DCOM on that > subnet, I'd really like to see what the actual > contents of the packet are...but can't through > NetProwler. I know I could load up snort or tcpdump, > and do captures that way, but Symantec recently > announced that it's no longer supporting NetProwler, > so... > > About a year ago I was working w/ RealSecure and had > the same issues...couldn't see what the packet > contents were, nor could I see what the actual details > of the filter were. On top of that, the ability to > create user-defined filters is extremely limited. > > What this leads to is the question of how useful such > systems are in the face of network forensics. If the > packet contents themselves aren't saved in some way, > but only used to trigger an alert, then how suitable > are such systems for forensics? To take a step back, > if the signatures themselves aren't viewable, and only > the alert, then how does the admin *really* determine > what happened? In most cases, they'd be at the mercy > of whatever info the IDS console provides. > > Thoughts? > > Carv > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ********************************************************************** This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email. ********************************************************************** ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 24 2003 - 17:31:44 PST