I agree that client-side integration seems to becoming more and more important as more Trojans go SSL-enabled. However, I think that's more the realm of OSSEC, which plugs into OSSIM. So, if the OISF incarnation can play nicely with OSSIM, I think that it would be fairly simple to write OSSIM directives that would accomplish what you're talking about by directing OSSEC clients to begin recording/analyzing. Personally, I'd want them to all to be able to grep through their RAM for given strings ala MindSniffer if there was something new to look for. I think you're raising a good point though, that HIDS can play a real part in this if we let it.<br>
<br>--Martin<br><br><div class="gmail_quote">On Fri, Apr 3, 2009 at 2:00 PM, Matt Jonkman <span dir="ltr"><<a href="mailto:jonkman@jonkmans.com">jonkman@jonkmans.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
So you mean for instance in the event of an https ddos? Or some form of<br>
encrypted session.<br>
<br>
Have the client grab it after decryption and save to be analyzed?<br>
<br>
Matt<br>
<div><div></div><div class="h5"><br>
Kevin Ross wrote:<br>
> Hi I was thinking, imagine if an intrusion was detected between a<br>
> maclicious host, say 81.1.1.1 and the victim 10.0.0.2 with the<br>
> Distributed IDS in between. What if an attack was underway there was<br>
> agents available for clients/servers which then the distributed IDS<br>
> could use to capture activity? i.e network activity etc between it and<br>
> the compromised host. Ie say there was an attack, the distributed IDS<br>
> master sensor will "say" to the agent on 10.0.0.2 "record all<br>
> communications you have with 81.1.1.1 and then forward it to me".<br>
><br>
> This way greater visibility is given into the attack providing greater<br>
> forensic information. especially if encyrption is then used to hide<br>
> attack responses, backdoors, whatver. The agent perhaps could then be<br>
> used in some sort of active response on the client but ideally just a<br>
> small capture agent. This would give more attack information,<br>
> confirmation if the attack was successful.<br>
><br>
><br>
</div></div>> ------------------------------------------------------------------------<br>
><br>
> _______________________________________________<br>
> Discussion mailing list<br>
> <a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
> <a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
<br>
--<br>
--------------------------------------------<br>
Matthew Jonkman<br>
Emerging Threats<br>
Phone 765-429-0398<br>
Fax 312-264-0205<br>
<a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
--------------------------------------------<br>
<br>
PGP: <a href="http://www.jonkmans.com/mattjonkman.asc" target="_blank">http://www.jonkmans.com/mattjonkman.asc</a><br>
<br>
<br>
_______________________________________________<br>
Discussion mailing list<br>
<a href="mailto:Discussion@openinfosecfoundation.org">Discussion@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br>
</blockquote></div><br>