Dailydave mailing list archives

Re: halvar, record gigabit networking? IDS for forensics?

From: "David J. Bianco" <david () vorant com>
Date: Fri, 17 Nov 2006 11:37:37 -0500

Gadi Evron wrote:

It sounds cool, but all I can really say having worked in such
enviroments is "right", cynically. More useful than IDS for sure, though,
if what you want is forensics (and actually have a way to sort through
this if it really works and if it really catches everything - not to
mention if my network is even that centralized)


We've been doing exactly this for years.  Of course, we've been using
Sguil and not the time machine, but the idea is the same, and it's
quite effective.  As you mentioned, it's great for forensics, but it's
best when combined with an IDS.  It's pretty easy to validate most alerts
when you have the raw traffic to fall back on.

Nice to see another addition to the Network Security Monitoring arsenal!

        David
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

halvar, record gigabit networking? IDS for forensics? Gadi Evron (Nov 17)
- Re: halvar, record gigabit networking? IDS for forensics? Thomas Ptacek (Nov 17)
- Re: halvar, record gigabit networking? IDS for forensics? David J. Bianco (Nov 17)
  - Re: halvar, record gigabit networking? IDS for forensics? Bamm Visscher (Nov 19)
- Re: halvar, record gigabit networking? IDS for forensics? Nick Selby (Nov 17)
  - Re: halvar, record gigabit networking? IDS for forensics? Danny Quist (Nov 19)