Network data

• Network-based audit trails
  • raw packet data, Cisco netflow, RMON, other firewall / router logs

• Example systems
  • NFR, ISS RealSecure, Cisco NetRanger, Bro, anything built on libpcap

• Problems
  • passive network monitoring is easily defeated by clever attackers [PN98]
  • traffic normalizers can help deal with ambiguity [Pax99]
  • higher bandwidth, end-to-end encryption, switched networks