Re: Ability for SIM to perform tcp stream reassembly

[Bamm Visscher <bamm.visscher () gmail com>]

Have you looked at what we do with sguil[0]?  It provides quick access
to snort alerts, pcap, and flow data (via sancp).

Bammkkkk

[0] http://www.sguil.net

On 24 Sep 2005 02:19:35 -0000, Thyrymn () gmail com <Thyrymn () gmail com> wrote:
> Hello.
>
> I am currently evaluating some SIM products, however, I am having difficulty getting the vendors to understand what I 
> mean by tcp stream reassembly.
>
> One of the thinfgs I want the sim to do is the be able to take raw packet data -- i.e., what is in tcpdump -r  file 
> -s0 -- search it for a text string, and turn it into a file.
>
> Right now, what I have to do it take the a known time that an event happened, unzip it, tcpdump -r file -w file2 
> <some filters here>, tcpflow -r file2, and grep <string> * to find what legal has requested.
>
> Anyone know of which ones having this capability built in or can add it on?
>
> Thanks,
> Thy
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------


--
sguil - The Analyst Console for NSM
http://sguil.sf.net

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------