Dailydave mailing list archives
Re: halvar, record gigabit networking? IDS for forensics?
From: "Danny Quist" <dannyquist () gmail com>
Date: Fri, 17 Nov 2006 18:20:35 -0700
Taking data snapshots for replay or later analysis is great stuff. One particular shop that I've seen that has done a good job has simply implemented PCAP logging. Using the PCAP ring buffers, and lots of disk, these files are then copied and recorded for a 7 day period. The place in question implemented this on their 1GB outside link and was able to economically record that data. It was extremely useful to go back and pick apart any sort of problems. The only issue was that you have to be interested in something that happened in that 7 day window. All of this can be implemented on standard Linux hardware, with standard high-speed raid devices. Phil Wood has done much work to make PCAP faster. It also helps with opening large PCAP files and other issues you may encounter while implementing your Network Tivo. Find Phil's stuff here: http://public.lanl.gov/cpw/ Danny On 11/17/06, Nick Selby <nick.selby () the451group com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 <snip> Gadi Evron wrote: >> http://www.packetstormsecurity.org/sniffers/tm-20061111-0.tar.gz >> </snip> This sounds like a poor-man's version of what Solera Networks is on about - from a report we did (we're not paid by or involved with Solera in any way and the report is based on their statements, not testing - I'd love to hear opinions on what they say they do or how we've written it ). In a nutshell, Solera claims an average selling price of $50,000, says it can suck down huge chunks of data in GB ethernet and blow them onto a disk wicked fast, then serve as either platform for forensic apps (it's running linux) or as a data source. For example, to feed IDS as fast as IDS can suck it down, or rebroadcast data through a closed network segment, or provide chunks as a pcap or other file to be imported or mounted: <excerpt> "Solera's DS series of appliances are 3U rack-mountable Linux-based appliances, running either *Red Hat* Enterprise Linux 4 or SuSE 10. The DS uses standard *Intel* NICs, though Solera says it has written its own drivers for them. Because the boxes are running Linux and the Solera capture and write runs effectively as a Linux kernel module, customers are able to both use the DS as a network buffer - re-broadcasting network traffic once captured out to network segments - - or, using virtual Ethernet adapters, host applications on its own platform, which can interact with the data in any number of virtual views. "The product offers pre-capture filters - for example, not recording SSH or SSL encrypted traffic - and playback filters on seven main criteria: source IP, destination IP, MAC address, VLN, port number, protocol and time window. Other filters are available as well, but the main idea is to be able to feed various 'views' into various applications simultaneously - allowing analysts with, for example, Wireshark (Ethereal) to say, 'Show me all packets from a certain time domain, from this IP to that IP in this protocol.' "Solera's DS appliance may be used as a platform on which Linux applications are run. For example, Snort can be installed as an application on the DS, then configured to take network traffic from a virtual Ethernet adapter. The DS can be configured to feed Snort as fast as Snort can take data. Additionally, Solera says that customer *Brigham Young University* has developed an application that takes traffic beginning some seconds before, and ending some seconds after, a Snort-flagged incident - packaging the traffic segment up and forwarding it to an analyst to determine whether it's a false positive. The DS can provide other views to applications, such as pcap files or virtual file systems, which can be 'mounted.' Traffic can also be replayed to a network segment, for examination by applications. "The boxes monitor traffic from a SPAN port as a passive collector, and the company claims to capture at a sustained traffic rate of up to 550MB/sec from Gigabit Ethernet. Solera says it uses an off-the-shelf disk controller from *3Ware*, but wrote its own file system, which allows the DS to write to disk very quickly, using very long sector runs in 'slots' of 67MB at a time, providing an 840MB/sec stream-to-disk throughput on its disk channel. The appliances have 800GB to 6.4TB of onboard storage. Solera says that using a fiber channel switch, its appliances can be stacked up in groups of 20, providing more than 128TB of storage capacity. Because of its claimed very fast read/write rates, Solera says there are no disk-based bottlenecks." Competition: *Network General*. Solera says that if the Network General approach - its own bottom-up approach with its own stack - is the sort of thing you like, then you'll like that sort of thing. The other main competitor is *Niksun*. Several other vendors offer competitive and competitive-sounding products: *Endace Measurement Systems*, the publicly traded New Zealand-based vendor of packet capture cards, a firm we have just met and hope to brief with soon. Solera claims that its methods are faster - since we're not a testing organization, we have no way to judge the veracity of claims like this, but we will bring it up to Endace and report its response in the future. Other competitors include *Network Instruments*, *WildPackets*, *Fluke Networks* and *ClearSight Networks*. </excerpt> Comments? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFFXgY31x+5mkiqtFgRAqLbAJ4+ZXsxn+IWRkNrkBHzIZJwSWRk/gCgjmEK AFHAsdJ0OFpdq+HQ/GQFktw= =AWN7 -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- halvar, record gigabit networking? IDS for forensics? Gadi Evron (Nov 17)
- Re: halvar, record gigabit networking? IDS for forensics? Thomas Ptacek (Nov 17)
- Re: halvar, record gigabit networking? IDS for forensics? David J. Bianco (Nov 17)
- Re: halvar, record gigabit networking? IDS for forensics? Bamm Visscher (Nov 19)
- Re: halvar, record gigabit networking? IDS for forensics? Nick Selby (Nov 17)
- Re: halvar, record gigabit networking? IDS for forensics? Danny Quist (Nov 19)