Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

F E A T U R E

Dragon Claws its Way to the Top

August 20, 2001
By Greg Shipley and Patrick Mueller

Packet Logging 101

At first glance, the ability to log packet data may seem like just another bell or whistle. However, as more IDSes are deployed, their use in criminal prosecution will increase. And while there are many complications surrounding the admissibility of electronic log data as evidence in U.S. courts, IDSes that don't perform packet logging won't help much when it comes to prosecution.

Packet dumps are also useful for reconstructing attack sessions. By reassembling sessions, you can sometimes determine how far an intruder got or trace the path of his or her movements.

Packet data helps in the investigation of false positives as well. Poorly written signatures, or signatures that are just too general, will often alert on benign traffic. By looking at the packets that cause the alert, IDS admins can take several actions to fix the problem. First, they can contact the vendor and explain what kind of packets are falsing; sometimes the vendor will provide an updated signature. Second, with some products -- Dragon and Snort, for example -- signatures can be updated by hand to make them more specific. Finally, in some cases administrators might simply want to disable the signature if most of the alerts aren't useful.