Re: Re: FW: NFR Features

[mark.teicher () networkice com]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Dave,

The issue with log rotation and log retention.  There has really not been a 
definitive ruling on how long an organization is supposed to retain logs 
for: (whether it is a firewall log, IDS log, system access log), and how to 
store them for the just in case some one asks for them (albeit, one of 
those three letter agencies)..  Some firewall vendors store their 
information in a proprietary format (very bad thing) and need some tool to 
convert from its proprietary format to something readable and others just 
log to some readable format that is easy to parse and such.

IDS vendors have an even tougher time on the type of format they choose to 
store the data in (1. for speed, 2. for reporting reasons 3. evidence 
collection)

If one stores to a database format, is the data really in a form that can 
be used as evidence.. ??

The busier the network, the more data an IDS can capture, the more often a 
log must be rotated or transferred off.
Some IDS vendors have a database utility to compress the data or purge the 
data from x date to y date.  Those little utilities go a long way 
especially if you are limited on disk space.. :)

/mark
At 07:08 PM 9/14/00 -0400, Dave Goodrum wrote:
> No, this would not cause a problem for us.