Firewall Wizards mailing list archives
Re: Taking a traffic snapshot with network IDS
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Mon, 21 Jun 2010 09:38:38 -0400
Yack, Daniel wrote:
I realize this is a pretty simple problem – but getting back to basics is always a good thing. I do have some linux experience, but am not a ‘power user’. Any ideas on tools or what to use for this? An IDS/IPS is probably the answer here, right?
I think you might want to look at things like argus, urlsniff, and wireshark for your data-gathering, if data is what you're after. What an IDS does is gives you its notion of what it saw, based on its rules (i.e.: the preconceptions of whoever wrote the IDS' rule-base) If you're trying to do discovery, you want the undigested raw data, or something closer to it. That said, an IDS can be turned into one heck of a nice data-gathering device if it's programmed to collect and report on events rather than to look specifically for intrusions. I.e.: a DNS logging signature set, URL logging signatures, DHCP logging, connectivity tracking, usage statistics, etc. There might be some snort signature-sets out there for logging and collection and those would be a good place to start. mjr. -- Marcus J. Ranum CSO, Tenable Network Security, Inc. http://www.tenablesecurity.com _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Taking a traffic snapshot with network IDS Yack, Daniel (Jun 21)
- Re: Taking a traffic snapshot with network IDS Farrukh Haroon (Jun 21)
- Re: Taking a traffic snapshot with network IDS Marcus J. Ranum (Jun 21)
- Re: Taking a traffic snapshot with network IDS vern (Jun 21)