[Discussion] Capture Clients?

Martin Holste mcholste at gmail.com
Fri Apr 3 19:29:10 UTC 2009


I agree that client-side integration seems to becoming more and more
important as more Trojans go SSL-enabled.  However, I think that's more the
realm of OSSEC, which plugs into OSSIM.  So, if the OISF incarnation can
play nicely with OSSIM, I think that it would be fairly simple to write
OSSIM directives that would accomplish what you're talking about by
directing OSSEC clients to begin recording/analyzing.  Personally, I'd want
them to all to be able to grep through their RAM for given strings ala
MindSniffer if there was something new to look for.  I think you're raising
a good point though, that HIDS can play a real part in this if we let it.

--Martin

On Fri, Apr 3, 2009 at 2:00 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:

> So you mean for instance in the event of an https ddos? Or some form of
> encrypted session.
>
> Have the client grab it after decryption and save to be analyzed?
>
> Matt
>
> Kevin Ross wrote:
> > Hi I was thinking, imagine if an intrusion was detected between a
> > maclicious host, say 81.1.1.1 and the victim 10.0.0.2 with the
> > Distributed IDS in between. What if an attack was underway there was
> > agents available for clients/servers which then the distributed IDS
> > could use to capture activity? i.e network activity etc between it and
> > the compromised host. Ie say there was an attack, the distributed IDS
> > master sensor will "say" to the agent on 10.0.0.2 "record all
> > communications you have with 81.1.1.1 and then forward it to me".
> >
> > This way greater visibility is given into the attack providing greater
> > forensic information. especially if encyrption is then used to hide
> > attack responses, backdoors, whatver. The agent perhaps could then be
> > used in some sort of active response on the client but ideally just a
> > small capture agent. This would give more attack information,
> > confirmation if the attack was successful.
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Discussion mailing list
> > Discussion at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
> _______________________________________________
> Discussion mailing list
> Discussion at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/discussion
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/discussion/attachments/20090403/710b56b2/attachment-0002.html>


More information about the Discussion mailing list