Full-time Packet Captures with the Time Machine
| Sunday, June 10, 2007 | Mark Orlando |
Researchers at Lawrence Berkeley National Laboratory, the Munich University of Technology, and the Berlin University of Technology have been working on a project that should be of great interest to IDS and security analysts everywhere. The project’s goal is to address one of the biggest shortcomings in intrusion detection and network-based incident response: how do we gather and analyze all data pertaining to an incident once an intrusion has occurred, knowing that most monitoring solutions only generate alerts and, if we’re lucky, minimal packet data? There are a few vendors that have tried to address this problem (Niksun and McAfee come to mind immediately) by throwing expensive hardware and lots of disk space into solutions designed to maintain full packet captures. Most IDS vendors include some sort of packet capture functionality in their products, but even those usually only provide such data when and if an alert is triggered.
This new project has been dubbed The Time Machine. It is designed to provide a full-time packet capture capability in Gbps environments using commodity hardware. That may be a tall order, but definitely worth a closer look knowing it comes from the same people that brought us Bro IDS, not to mention security monitoring research since the earliest days of IDS technology. The basic premise is that the Time Machine uses a packet cutoff limit to buffer up to N bytes of traffic for each connection, given what statistical analysis of network traffic has shown to be the most meaningful data for each traffic type, then indexing all captured packets for fast retrieval.
The capability to keep full packet captures for all connections in the event of an intrusion or event of interest, using an open source utility and commodity hardware, is a welcome proposition and one we plan to research further. The Time Machine is still in early stages of development but can be downloaded from:
http://www.net.t-labs.tu-berlin.de/research/tm/#download.
We’re already working on taking it for a spin, so look for future write-ups on this cool new toy.
Hi guys,
This is indeed cool, although we had that functionality over 10 years ago in ASIM and I believe Dragon had something similar years ago too?
Thanks for the note, Richard, and good point. I think there have been plenty of examples of the full content collection box, including the ASIM, but the thing that interests us here is the focus on modern high(er)-speed networks without the need for tons of storage (not sure what the ASIM was doing for space management), and an approach that collects packet data first and serves as a corollary for IDS alerts second- the opposite of what most IDS vendors seem to be doing now.
check clarified networks, from http://www.clarifiednetworks.com