Hosting Provided By

Re: IDS and forensics

From: Dave Mitchell <dmitchell(at)viawest.net>
Date: Fri Jan 24 2003 - 17:21:05 EST

Lee,
Most IDS's use PCAP to log packets to disk. This can cause a fundamental problem when the box has a high load pushed at it. You can either miss packet logging due the IO not being able to keep up with the streams, frames lost as the box cannot buffer enough to keep up, the disk becoming full, or just the meltdown of the box.

A nice way to do this for forensics is to log based on multiple criteria such as srcip, destip, port, attack, etc. The problem of a PCAP core of most IDSes is that they either log everything to disk or nothing. The only IDS I've used that can log only flows that you care about to disk and give you an easy method of viewing/exporting them for forensic purposes is the Netscreen IDP, since they use a flow based system just like a firewall. I'm not sure about the other very high end 100M/1GB+ line rate IDSes out there, so I can't tell you if they do it.

-dave

On Fri, Jan 24, 2003 at 10:57:45AM -0500, Kelly, Lee wrote:
> RealSecure has the capability to capture the packets, the issue is it

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Jan 24 17:42:06 2003

This message: [ Message body ]
Next message: Tom Arseneault: "RE: IDS and forensics"
Previous message: Kowalski, Thomas TL26C: "RE: IDS and forensics"
In reply to Kelly, Lee: "RE: IDS and forensics"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:42 EDT