Dailydave mailing list archives
Re: halvar, record gigabit networking? IDS for forensics?
From: "David J. Bianco" <david () vorant com>
Date: Fri, 17 Nov 2006 13:10:15 -0500
Gadi Evron wrote:
As in, locate an incident, look for that in the full capture... or alert on an incident, record X packerts after it or communication to/from IP afterwards?
Definitely the former. Briefly, Sguil integrates IDS alerts (Snort), network session data (SANCP, which is similar to netflow or Argus) and full packet data into a single GUI tool. Given an alert, it's simple to find additional alerts, related network sessions or the actual packets. You can also do ad hoc queries, so you can start from some other information, like a suspect IP address or a weird network session and still locate the other relevant data. The intent is to provide the "what next?" that you're often left with when using traditional IDS. If you'd like to check it out, see www.sguil.net. You could also check out my intro presentation, or the one I did with Richard Bejtlich at Schmoocon 2006: http://www.vorant.com/files/nsm_with_sguil.pdf http://www.shmoocon.org/2006/presentations/bejtlich_bianco_nsm-sguil_shmoocon06_13jan06.ppt http://www.shmoocon.org/2006/videos/Bejtlich-Squil.mp4 David _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: halvar, record gigabit networking? IDS for forensics? David J. Bianco (Nov 17)