Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Dailydave] halvar, record gigabit networking? IDS for forensics?
From: David J. Bianco (davidvorant.com)
Date: Fri Nov 17 2006 - 12:10:15 CST
Gadi Evron wrote:
> As in, locate an incident, look for that in the full capture... or alert
> on an incident, record X packerts after it or communication to/from IP
Definitely the former. Briefly, Sguil integrates IDS alerts (Snort),
network session data (SANCP, which is similar to netflow or Argus) and
full packet data into a single GUI tool. Given an alert, it's simple to
find additional alerts, related network sessions or the actual packets.
You can also do ad hoc queries, so you can start from some other information,
like a suspect IP address or a weird network session and still locate
the other relevant data. The intent is to provide the "what next?" that
you're often left with when using traditional IDS.
If you'd like to check it out, see www.sguil.net. You could also
check out my intro presentation, or the one I did with Richard Bejtlich at
Dailydave mailing list