Log Evidence is disigned to dump packet that has triggered the event to file. I think that this feature has a very little profit in current realization, because all packets are stored in the same file and it's almost impossible to find out desired information especially if LogEvidence response is checked for a number of signatures. The best place for such evidence to store, I think, is RealSecureDB. Such functionlity is realized, for example, in ACID for Snort, the part of payload of packet is stored in DB. Why doesn't ISS realize this functionality? Or there is something that encumber to do so?
If the only place where evidence can be stored is file on sensor, it would be better to store evidece of different events to files with different name i.e. payload for SMB_Empty_Password is stored in SMB_Empty_Password-XXXX.enc, MSRPC_Activate_BO is stored in MSRPC_Activate_BO-XXXX.enc, etc., where XXXX - numbers as it is now, or, it's better, date of start file (the date could be in seconds since 00:00:00 UTC, January 1, 1970 as it's in C). I know that such message better to send to enhancements, but may be some facts I don't know about... Please correct me if something wrong in my reasonings. Any feedback will be welcome. --- Best regards, Sergey V. Soldatov. Information security department. _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
