Re: IDS and forensics

From: Talisker <offthecuff(at)lineone.net>
Date: Mon Jan 27 2003 - 13:37:50 EST

Hi Carv
Good one, there is a variety of IDS that will capture packets; including but NOT restricted to Snort, SecureNetPro and BlackICE.

Snort and SecureNetPro will catch the offending packets, though both can easily catch all packets if set to do so. With SecureNetPro you can install TCPdump, or you set logging for certain events to include packet dump. This is on a event by event basis, so it can be time consuming getting the settings correct. (I could be wrong)

BlackICE is very cool not only does it retain the offending packet in an evidence file but is also has a sliding window where it catches all packets, overwriting the older ones in accordance with your settings. On a busy network though you have to get in there quick or have a HUGE drive. BlackICE has been end of lifed by ISS replaced by RealSecure, I'm doing their advanced course in a few weeks so I can get back to you on how well it does packet capture, though I'd be very surprised if any IDS out there didn't at least log offending packets.

For reactive forensics ie you know something is going on and you want to catch them in the act then SecureNetPro through it's Linux console will allow you to watch live sessions as they materialise great for Hotmail etc. Through it's new Windows client is has a pretty cool forensics interface. This to me isn't what I call forensics but it does allow you to get to the bottom of a problem on a big network.

At the end of the day though you can't beat (IMHO) Ethereal it has fantastic network protocol savvy, though Iris has a nice front end and allows you to replay the packets without having to feed them through TCP Replay, say on a test network.

Take care
-andy

Taliskers Network Security Tools
http://www.networkintrusion.co.uk
----- Original Message -----
From: "H C" <keydet89@yahoo.com>
To: <forensics@securityfocus.com>
Sent: Friday, January 24, 2003 3:34 PM
Subject: IDS and forensics

> I'm interested in other's views of network IDS systems
> when looking at incident response and forensics
> activities.
>
> This comes up from my hands-on dealings w/ IDSs like
> RealSecure and NetProwler. These systems provide
> alerts, but don't keep the actual packets that
> initiate the alerts. I've done some research w/
> NetProwler specifically, and haven't been able to find
> any explicit definition or descriptions of the alerts.
> So I'll see an alert for "MS RPC portmapper small
> packets", but I have no way of determining what
> "small" is...and since we do a lot of DCOM on that
> subnet, I'd really like to see what the actual
> contents of the packet are...but can't through
> NetProwler. I know I could load up snort or tcpdump,
> and do captures that way, but Symantec recently
> announced that it's no longer supporting NetProwler,
> so...
>
> About a year ago I was working w/ RealSecure and had
> the same issues...couldn't see what the packet
> contents were, nor could I see what the actual details
> of the filter were. On top of that, the ability to
> create user-defined filters is extremely limited.
>
> What this leads to is the question of how useful such
> systems are in the face of network forensics. If the
> packet contents themselves aren't saved in some way,
> but only used to trigger an alert, then how suitable
> are such systems for forensics? To take a step back,
> if the signatures themselves aren't viewable, and only
> the alert, then how does the admin *really* determine
> what happened? In most cases, they'd be at the mercy
> of whatever info the IDS console provides.
>
> Thoughts?
>
> Carv
>
> __________________________________________________
> Do you Yahoo!?
> Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> http://mailplus.yahoo.com

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Jan 27 15:25:00 2003