Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > forensics > 03 > 010181.html (Request Expert securityfocus.com Support)

RE: IDS and forensics

From: Robinson, Sonja <SRobinson(at)HIPUSA.com>
Date: Fri Jan 24 2003 - 15:33:13 EST


Think of it as any other log that you have and their value to you. Win Sec Event Logs don't capture ALL of the information. Most logs don't. In addition, due to hardware requirements to capture and save all packets would be cost prohibitive. For instance, on my IDS I could receive say 500 alerts per day across 200 servers (informational as well as Hi, med, lo alerts). Now capture the associated packets and I've got some serous issues with storage. Most of which I will never look at in great detail. Not that I might not necessarily want to however, I just don't have the resources. So as in any good network investigation you're going to have to do some log correlation and research.

Forensics is a PROCESS of colleting, analyzing and preserving evidence. Your EVIDENCE is the logs (whether sec.evt, syslog, sulog, IDS logs, firewall, etc.) So your question about whether IDS is forensically valuable is a little off, IMHO. ALL good logs are valuable EVIDENCE and I consider IDS a good log providing it is tuned properly and configured properly. It correlates events from a number of areas and centralizes them. I don't need a packet necessarily for a forensic investigation. If the log logs the IP addresses and other relevant information I can rely on the signature definition for the IDS Vendor for support in court. To get a little off topic, if I start describing packets and their contents in court, I'll lose my audience. You have to keep it simple because the audience is not normally technical. By describing the ids signatures and showing how it is similar to say virus signatures in how they are picked up that is familiar to many and they can identify with it.

If something serious is happening, by all means, turn the sniffer on and start dumping your packets.

If you have questions regarding what exactly an IDS signature means and the parameters for the alarm, call your IDS. They should have given you documentation (RTFM), and if that is not clear call them. That's what you pay them for.

> -----Original Message-----
http://mailplus.yahoo.com


This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email.

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Jan 24 20:32:12 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library