Re: halvar, record gigabit networking? IDS for forensics?

["David J. Bianco" <david () vorant com>]

Gadi Evron wrote:
> As in, locate an incident, look for that in the full capture... or alert
> on an incident, record X packerts after it or communication to/from IP
> afterwards?

Definitely the former.  Briefly, Sguil integrates IDS alerts (Snort),
network session data (SANCP, which is similar to netflow or Argus) and
full packet data into a single GUI tool.  Given an alert, it's simple to
find additional alerts, related network sessions or the actual packets.
You can also do ad hoc queries, so you can start from some other information,
like a suspect IP address or a weird network session and still locate
the other relevant data.  The intent is to provide the "what next?" that
you're often left with when using traditional IDS.

If you'd like to check it out, see www.sguil.net.  You could also
check out my intro presentation, or the one I did with Richard Bejtlich at
Schmoocon 2006:

http://www.vorant.com/files/nsm_with_sguil.pdf
http://www.shmoocon.org/2006/presentations/bejtlich_bianco_nsm-sguil_shmoocon06_13jan06.ppt
http://www.shmoocon.org/2006/videos/Bejtlich-Squil.mp4

        David
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave