[Discussion] Capture Clients?

Kevin Ross kevross33 at googlemail.com
Fri Apr 3 10:08:08 UTC 2009


Hi I was thinking, imagine if an intrusion was detected between a maclicious
host, say 81.1.1.1 and the victim 10.0.0.2 with the Distributed IDS in
between. What if an attack was underway there was agents available for
clients/servers which then the distributed IDS could use to capture
activity? i.e network activity etc between it and the compromised host. Ie
say there was an attack, the distributed IDS master sensor will "say" to the
agent on 10.0.0.2 "record all communications you have with 81.1.1.1 and then
forward it to me".

This way greater visibility is given into the attack providing greater
forensic information. especially if encyrption is then used to hide attack
responses, backdoors, whatver. The agent perhaps could then be used in some
sort of active response on the client but ideally just a small capture
agent. This would give more attack information, confirmation if the attack
was successful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20090403/26819b38/attachment-0002.html>


More information about the Discussion mailing list