[Dailydave] halvar, record gigabit networking? IDS for forensics?

Sat Nov 18 01:20:35 Local tim 2006

Taking data snapshots for replay or later analysis is great stuff.  One
particular shop that I've seen that has done a good job has simply
implemented PCAP logging.  Using the PCAP ring buffers, and lots of disk,
these files are then copied and recorded for a 7 day period.  The place in
question implemented this on their 1GB outside link and was able to
economically record that data.  It was extremely useful to go back and pick
apart any sort of problems.  The only issue was that you have to be
interested in something that happened in that 7 day window.

All of this can be implemented on standard Linux hardware, with standard
high-speed raid devices.  Phil Wood has done much work to make PCAP faster.
It also helps with opening large PCAP files and other issues you may
encounter while implementing your Network Tivo.  Find Phil's stuff here:
http://public.lanl.gov/cpw/

Danny

On 11/17/06, Nick Selby <nick.selby at the451group.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> <snip>
> Gadi Evron wrote:
> >> http://www.packetstormsecurity.org/sniffers/tm-20061111-0.tar.gz
> >>
> </snip>
>
> This sounds like a poor-man's version of what Solera Networks is on
> about - from a report we did (we're not paid by or involved with
> Solera in any way and the report is based on their statements, not
> testing - I'd love to hear opinions on what they say they do or how
> we've written it ).
>
> In a nutshell, Solera claims an average selling price of $50,000, says
> it can suck down huge chunks of data in GB ethernet and blow them onto
> a disk wicked fast, then serve as either platform for forensic apps
> (it's running linux) or as a data source. For example, to feed IDS as
> fast as IDS can suck it down, or rebroadcast data through a closed
> network segment, or provide chunks as a pcap or other file to be
> imported or mounted:
>
>
> <excerpt>
>
> "Solera's DS series of appliances are 3U rack-mountable Linux-based
> appliances, running either *Red Hat* Enterprise Linux 4 or SuSE 10.
> The DS uses standard *Intel* NICs, though Solera says it has written
> its own drivers for them. Because the boxes are running Linux and the
> Solera capture and write runs effectively as a Linux kernel module,
> customers are able to both use the DS as a network buffer -
> re-broadcasting network traffic once captured out to network segments
> - - or, using virtual Ethernet adapters, host applications on its own
> platform, which can interact with the data in any number of virtual
> views.
>
> "The product offers pre-capture filters - for example, not recording
> SSH or SSL encrypted traffic - and playback filters on seven main
> criteria: source IP, destination IP, MAC address, VLN, port number,
> protocol and time window. Other filters are available as well, but the
> main idea is to be able to feed various 'views' into various
> applications simultaneously - allowing analysts with, for example,
> Wireshark (Ethereal) to say, 'Show me all packets from a certain time
> domain, from this IP to that IP in this protocol.'
>
> "Solera's DS appliance may be used as a platform on which Linux
> applications are run. For example, Snort can be installed as an
> application on the DS, then configured to take network traffic from a
> virtual Ethernet adapter. The DS can be configured to feed Snort as
> fast as Snort can take data. Additionally, Solera says that customer
> *Brigham Young University* has developed an application that takes
> traffic beginning some seconds before, and ending some seconds after,
> a Snort-flagged incident - packaging the traffic segment up and
> forwarding it to an analyst to determine whether it's a false
> positive. The DS can provide other views to applications, such as pcap
> files or virtual file systems, which can be 'mounted.' Traffic can
> also be replayed to a network segment, for examination by applications.
>
> "The boxes monitor traffic from a SPAN port as a passive collector,
> and the company claims to capture at a sustained traffic rate of up to
> 550MB/sec from Gigabit Ethernet. Solera says it uses an off-the-shelf
> disk controller from *3Ware*, but wrote its own file system, which
> allows the DS to write to disk very quickly, using very long sector
> runs in 'slots' of 67MB at a time, providing an 840MB/sec
> stream-to-disk throughput on its disk channel. The appliances have
> 800GB to 6.4TB of onboard storage. Solera says that using a fiber
> channel switch, its appliances can be stacked up in groups of 20,
> providing more than 128TB of storage capacity. Because of its claimed
> very fast read/write rates, Solera says there are no disk-based
> bottlenecks."
>
> Competition:
> *Network General*. Solera says that if the Network General approach -
> its own bottom-up approach with its own stack - is the sort of thing
> you like, then you'll like that sort of thing. The other main
> competitor is *Niksun*. Several other vendors offer competitive and
> competitive-sounding products:  *Endace Measurement Systems*, the
> publicly traded New Zealand-based vendor of packet capture cards, a
> firm we have just met and hope to brief with soon. Solera claims that
> its methods are faster - since we're not a testing organization, we
> have no way to judge the veracity of claims like this, but we will
> bring it up to Endace and report its response in the future. Other
> competitors include *Network Instruments*, *WildPackets*, *Fluke
> Networks* and *ClearSight Networks*.
>
> </excerpt>
>
>
> Comments?
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
>
> iD8DBQFFXgY31x+5mkiqtFgRAqLbAJ4+ZXsxn+IWRkNrkBHzIZJwSWRk/gCgjmEK
> AFHAsdJ0OFpdq+HQ/GQFktw=
> =AWN7
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.immunitysec.com/pipermail/dailydave/attachments/20061117/8cd98cbd/attachment-0001.htm 