Re: Taking a traffic snapshot with network IDS

["Marcus J. Ranum" <mjr () ranum com>]

Yack, Daniel wrote:
> I realize this is a pretty simple problem – but getting back to basics 
> is always a good thing.  I do have some linux experience, but am not a 
> ‘power user’.  Any ideas on tools or what to use for this?  An IDS/IPS 
> is probably the answer here, right? 

I think you might want to look at things like argus, urlsniff, and
wireshark for your data-gathering, if data is what you're
after. What an IDS does is gives you its notion of what it saw,
based on its rules (i.e.: the preconceptions of whoever wrote the
IDS' rule-base)  If you're trying to do discovery, you want the
undigested raw data, or something closer to it.

That said, an IDS can be turned into one heck of a nice data-gathering
device if it's programmed to collect and report on events rather than
to look specifically for intrusions. I.e.: a DNS logging signature
set, URL logging signatures, DHCP logging, connectivity tracking,
usage statistics, etc. There might be some snort signature-sets out
there for logging and collection and those would be a good place to
start.

mjr.
--
Marcus J. Ranum         CSO, Tenable Network Security, Inc.
                        http://www.tenablesecurity.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards