> Then, you either run large (more expensive than can be done in a firewall) jobs over the data offline to look for intrusions, or wait for a breach and then drill down on the data to try to learn exactly what happened.
I was thinking in terms of offline jobs, and don't have a good intuition for what those rules would look like. I'm also skeptical that your average company would have the expertise to write a good set of rules. So I was interested to see that "half" of an IDS tool.
I think the real answer is that it truly is just a rolling packet dump, and it's up to you to use it however you choose.
I can think of uses outside of network security: capturing traffic from your mobile devices on your home network (maybe this is just IDS if you're watching for the contents of your address book to be exfiltrated by a malicious app), or snooping on people through a Internet cafe, library, or other (small) open network that you administer.
For these uses, just like IDS, you'd want to run offline jobs against the data. Whether that's a full scan for something interesting, or an indexing pass that extracts (portions?) into a more easily viewable form.
Offline jobs are an interesting idea, but they weren't what we were really thinking of. Instead, we use stenographer more like a database of recent traffic. Consider this as a simple use case for intrusion detection:
set up snort and steno
foreach snort alert
request all packets in stream from steno: srcIP,srcPort,dstIP,dstPort match
OR request all packets on that srcIP,dstIP, to get OTHER connections between those hosts
store pcap to directory (or central DB, or whatever)
Then, when a human analyst wants to investigate the alert, instead of getting the very limited PCAP that comes out of snort, they get a ton of data they can use to build context, write new detection rules, etc.
> Then, you either run large (more expensive than can be done in a firewall) jobs over the data offline to look for intrusions, or wait for a breach and then drill down on the data to try to learn exactly what happened.
I was thinking in terms of offline jobs, and don't have a good intuition for what those rules would look like. I'm also skeptical that your average company would have the expertise to write a good set of rules. So I was interested to see that "half" of an IDS tool.
I think the real answer is that it truly is just a rolling packet dump, and it's up to you to use it however you choose.
I can think of uses outside of network security: capturing traffic from your mobile devices on your home network (maybe this is just IDS if you're watching for the contents of your address book to be exfiltrated by a malicious app), or snooping on people through a Internet cafe, library, or other (small) open network that you administer.
For these uses, just like IDS, you'd want to run offline jobs against the data. Whether that's a full scan for something interesting, or an indexing pass that extracts (portions?) into a more easily viewable form.