RE: IDS and forensics

From: Tom Arseneault <TArseneault(at)counterpane.com>
Date: Fri Jan 24 2003 - 16:21:06 EST

It is very configurale but has a number of drawbacks. First it uses tcpdump as it's sensor which means that it can't, easily, monitor packet payload contents. Second it uses tcpdumps syntax for it's configuration file so it's very hard to get it right, Third, it's not realtime, your console is always an hour old. Lastly, it's a diskspace hog because it stores everything on the sensor, all traffic the sensor sees it saves (by default, but it is configurable via the tcpdump file). The management station hourly downloads the sensor data and runs it thru filters to reduce it. On a small lan (~12 hosts, all web servers, and one sensor) I was getting about 512Mb a day after reduction, but it was very useful data.

Tom Arseneault
Security Engineer
Counterpane Internet Security.
"All humans are born Right-Handed...but the great ones overcome it."  

-----Original Message-----
From: perrieror@ssginfo.montclair.edu
[mailto:perrieror@ssginfo.montclair.edu] Sent: Friday, January 24, 2003 8:49 AM
To: keydet89@yahoo.com
Cc: forensics@securityfocus.com
Subject: Re: IDS and forensics

Seems to me that this is the software that you are looking for.

http://www.nswc.navy.mil/ISSEC/CID/index.html its called shadow. does IDS and also logs all the packets. Seems very configurable to me.

Robert Perriero
Montclair State University
Systems and Security Group

> I'm interested in other's views of network IDS systems

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Jan 24 18:08:28 2003