Software vendors advertise everywhere that they appreciate customers' requirements and encourage them to write letters describing their needs to include them in future releases. Me as a customer has written a lot of suggestions to vendors of products I use but most of things are still the same. May be I'm not the right person to write such demands for enhancements, may be I use incorrect media to deliver my needs... So, I decided to use this blog to tell audience about desired features and, may be, this somehow enforce the process. Starting with this post (unfortunately available only in Russian and I feel lazy to translate it) I introduced new label Enhancements - all posts of this kind will be written with this label.
Vendor: IBM ISS.
Product: RealSecure Network 10/100 and Gigabit
Feature small description.
Logevidence is one of the possible signature responses in ISS' NIDS. It forces the sensor to dump packet which contains signature to file specified in sensor configuration file.
Problem description.
1. Sensor dumps only one packet per signature.
2. All logevidence packets are dumped to the same file and to find something in it is very difficult.
Enhancement description.
1. We know that ISS produce good stateful NIDSs. This means that to find signature sensor analyzes not just one packet (in this case fragmentation will easily deceive it) but whole data stream (session, which is more than one packet). As far as I understand idea of Logevidense, it is for further manually analysis. In this case one packet is not enough. So, my first part of this enhancement here is to dump the whole session, not just one packet.
2. Dump packets (sessions) not only to one file but to special folders structure. For example, like this:
Of cource ability to configure neded path and file name for logevidence is welcome!
Thursday, December 11, 2008
Logevidence response in RealSecure Network/Gigabit Sensor
Labels: Enhancements, IDS, ISS
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment