I know it is not best practice to try to sell anything on this list but our product does what you are looking for. The DeepNines FCS Capture has the ability to capture every packet both ingress and egress. It logs them all to an Oracle database for forensic mining. The FCS Tool allows you to query any packet in the database based on many different criteria.(time stamp, mac header, source ip, dest ip, source port, dest port..action , direction etc...) This is a brand new feature so I would like to get some feedback from you all as to what administrators might think would be valuable info / practices for such a tool. The data capture was originally designed to compliment the Sleuth9 Intrusion Prevention System. The Sleuth9 sits inline in front of the router. The FCS was to capture the attacks that Sleuth9 was mitigating, but we found that alot of people simply wanted to capture all of the data. There is not alot of data regarding this FCS mining Tool on our site, but I would be glad to entertain any questions or suggestions. -William On Fri, 2003-01-24 at 15:21, Tom Arseneault wrote: > It is very configurale but has a number of drawbacks. First it uses tcpdump > as it's sensor which means that it can't, easily, monitor packet payload > contents. Second it uses tcpdumps syntax for it's configuration file so it's > very hard to get it right, Third, it's not realtime, your console is always > an hour old. Lastly, it's a diskspace hog because it stores everything on > the sensor, all traffic the sensor sees it saves (by default, but it is > configurable via the tcpdump file). The management station hourly downloads > the sensor data and runs it thru filters to reduce it. On a small lan (~12 > hosts, all web servers, and one sensor) I was getting about 512Mb a day > after reduction, but it was very useful data. > > Tom Arseneault > Security Engineer > Counterpane Internet Security. > "All humans are born Right-Handed...but the great ones overcome it." > > > -----Original Message----- > From: perrierorat_private > [mailto:perrierorat_private] > Sent: Friday, January 24, 2003 8:49 AM > To: keydet89at_private > Cc: forensicsat_private > Subject: Re: IDS and forensics > > > Seems to me that this is the software that you are looking for. > > http://www.nswc.navy.mil/ISSEC/CID/index.html > its called shadow. does IDS and also logs all the packets. Seems very > configurable to me. > > Robert Perriero > Montclair State University > Systems and Security Group > > > I'm interested in other's views of network IDS systems > > when looking at incident response and forensics > > activities. > > > > This comes up from my hands-on dealings w/ IDSs like > > RealSecure and NetProwler. These systems provide > > alerts, but don't keep the actual packets that > > initiate the alerts. I've done some research w/ > > NetProwler specifically, and haven't been able to find > > any explicit definition or descriptions of the alerts. > > So I'll see an alert for "MS RPC portmapper small > > packets", but I have no way of determining what > > "small" is...and since we do a lot of DCOM on that > > subnet, I'd really like to see what the actual > > contents of the packet are...but can't through > > NetProwler. I know I could load up snort or tcpdump, > > and do captures that way, but Symantec recently > > announced that it's no longer supporting NetProwler, > > so... > > > > About a year ago I was working w/ RealSecure and had > > the same issues...couldn't see what the packet > > contents were, nor could I see what the actual details > > of the filter were. On top of that, the ability to > > create user-defined filters is extremely limited. > > > > What this leads to is the question of how useful such > > systems are in the face of network forensics. If the > > packet contents themselves aren't saved in some way, > > but only used to trigger an alert, then how suitable > > are such systems for forensics? To take a step back, > > if the signatures themselves aren't viewable, and only > > the alert, then how does the admin *really* determine > > what happened? In most cases, they'd be at the mercy > > of whatever info the IDS console provides. > > > > Thoughts? > > > > Carv > > > > __________________________________________________ > > Do you Yahoo!? > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > http://mailplus.yahoo.com > > > > ----------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com -- William Sykes Systems Engineer DeepNines ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 03:21:52 PST