RE: [Off topic] Traffic analysis

[Richard Bejtlich <richard_bejtlich () yahoo com>]

Erwin,

I forgot to mention two other ways to collect
session data:

4.  Tcptrace
(http://irg.cs.ohiou.edu/software/tcptrace) may be
built with packet analysis in mind, but it also
provides session data.

5.  Snort's stream4 preprocessor can flush session
stats periodically if told via "keepstats".  The
following logs session data to the file ssn_logs:

preprocessor stream4: detect_scans,
disable_evasion_alerts, keepstats db
/nsm/snort/ssn_logs

The keepstats output isn't intended for direct human
consumption, but it can be parsed to provide more
readable output.  We use this method for session data
in the Sguil project (http://sguil.sf.net).

Argus, SANCP, tcptrace, and Snort keepstats can all be
run against pcap traces.  I'm not sure if the NetFlow
tools do this.

Sincerely,

Richard
http://taosecurity.com


__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/


-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users