RE: Cisco IDS

["Joe Patterson" <jpatterson () asgardgroup com>]

> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Alex
> Butcher, ISC/ISYS
> Sent: Wednesday, January 19, 2005 10:49 AM
> To: John Hally; 'snort-users () lists sourceforge net'
> Subject: RE: [Snort-users] Cisco IDS
...
> > The cool thing about Sguil is the ability to pull up a pcap file for the
> > particular event reported.
>
> The same can be done quite easily with ACID, if you're using a spool
> processor which respects tagged packets. FLoP, for instance, does this. I
> then wrote a small amount of PHP around the included 'getpacket'
> utility to
> retrieve all tagged packets that were related to the triggering packet.

The one flaw with this is that snort can't (and shouldn't!) retroactively
tag packets.  So you can only see the things that happen *after* a signature
fires.  If you want to see what happened leading up to a signature fire,
then you need something like what sguil does.

-Joe



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users