[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISSForum] Log Evidence



Log Evidence is disigned to dump packet that has triggered the event to
file. I think that this feature has a very little profit in current
realization, because all packets are stored in the same file and it's
almost impossible to find out desired information especially if LogEvidence
response is checked for a number of signatures.
The best place for such evidence to store, I think, is RealSecureDB. Such
functionlity is realized, for example, in ACID for Snort, the part of
payload of packet is stored in DB. Why doesn't ISS realize this
functionality? Or there is something that encumber to do so?

If  the only place where evidence can be stored is file on sensor, it would
be better to store evidece of different events to files with different name
i.e. payload for SMB_Empty_Password is stored in
SMB_Empty_Password-XXXX.enc, MSRPC_Activate_BO is stored in
MSRPC_Activate_BO-XXXX.enc, etc., where XXXX - numbers as it is now, or,
it's better, date of start file (the date could be in seconds since
00:00:00 UTC, January 1, 1970 as it's in C).

I know that such message better to send to enhancements, but may be some
facts I don't know about...
Please correct me if something wrong in my reasonings.
Any feedback will be welcome.

---
Best regards, Sergey V. Soldatov.
Information security department.


_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.