Event sessionization time frame

tar_mynastyr · ‎10-22-2008

Hi, everybody.

According to the docs, a session is a collection of events withing a predefined time frame that share a common end-to-end information. Does anybody know this time frame?

I didn't find it using google :)

Thanks in advance!

rajett · ‎10-29-2008

Hi,

Sessions are based off of a 5 tuple match: Source IP address, Destination IP address, Source Port, Destination Port, and timestamp. Timestamps are figured based on time the packets were received as timestamps could be off on the reporting devices.

Additionally there is some room to account for devices that do not send data immediately such as when polling Windows servers for log files instead of using a Snare agent.

tar_mynastyr · ‎10-29-2008

Thanks for your answer!

But I still have not clear understanding.

Imagine, that the processing was as follows:

1. At 9:30:31 MARS polls for IPS before NAT via SDEE and receives an alert with particular AaBb

2. At 9:31:15 MARS polls for IPS after NAT via SDEE and receives an alert for the same attack with AaB`b

3. At 9:32:10 MARS receives event from CSA MC indicating the same attack is in progress.

4. MARS consults NAT translation table and determines that all three events have the same AaBb.

The questions are:

1. The events will be sessionized based on the timestamps in these alerts (and these events will be closer) or based on the MARS receive time (and these events will be treated as for a longer period)?

2. And if the second action will take place - what is the deadline, after which the alert from the IPS after NAT will be considered as an event from a new session?

Thnaks in advance!