Re: halvar, record gigabit networking? IDS for forensics?

["Bamm Visscher" <bamm.visscher () gmail com>]

I thought I'd clarify a little bit.  We (the Sguil project and NSM
promoters) have always recommended recording complete packet captures
independant of IDS alerts or other security events  (think tcpdump -i
fxp0 -w log.pcap w/no filters). In a standard Sguil setup, we actually
use a second Snort process to capture the packets (in pure packet
logger mode, no detection engine). A simple shell script and cron is
used to manage the disk use. Fast disks are cheap and I have found
this approach works well for links up to 100Mb.  Although I don't have
any personal experience with anything beyond that, I've had reports of
people using terabyte RAID arrays to collect full pcap on larger
links, but I don't think they approach Gig speeds.

I expect most the time, this type of monitoring is going at
ingress/egress points on the company network. I also expect the vast
majority of companies out there have less than a 100Mb link to the
internet (probably a lot less) for their corporate network and this
type of implementation would work fine for them.

However, there are also instances where individuals need to monitor
gig links (backends to partners, app servers and store fronts hosted
in data centers, those pesky .edu's, etc) or maybe the CFO is a good
Hollander and doesn't like to spend a little bit of money on hard
drives (What, you want 500GBs of RAID 5 in that server?!?! You can
have a single 80GB drive, deal with it). It's in those instances that
you have to start to get creative about how and what you log. No, you
won't be able to log 100% of the traffic, but that doesn't mean you
should just give up totally.  Logging the first x bytes of each
connection is a great thing to be able to do. After seeing the "time
machine" project on a blog (http://geek00l.blogspot.com/) the other
day, I passed it on to the author of SANCP
(http://www.metre.net/sancp.html). He told me SANCP also has the
capability to log first x bytes of a connection based on a filter. The
catch is I don't know at what speeds SANCP is capable of performing
at.

Anyway, it's good stuff for those of us using open source applications
in our security monitoring implementations.

Bammkkkk


On 11/17/06, David J. Bianco <david () vorant com> wrote:
> Gadi Evron wrote:
>
> > It sounds cool, but all I can really say having worked in such
> > enviroments is "right", cynically. More useful than IDS for sure, though,
> > if what you want is forensics (and actually have a way to sort through
> > this if it really works and if it really catches everything - not to
> > mention if my network is even that centralized)
>
> We've been doing exactly this for years.  Of course, we've been using
> Sguil and not the time machine, but the idea is the same, and it's
> quite effective.  As you mentioned, it's great for forensics, but it's
> best when combined with an IDS.  It's pretty easy to validate most alerts
> when you have the raw traffic to fall back on.
>
> Nice to see another addition to the Network Security Monitoring arsenal!
>
>         David
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave