|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] halvar, record gigabit networking? IDS for forensics?
From: David J. Bianco (david
vorant.com)
Date: Fri Nov 17 2006 - 12:10:15 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gadi Evron wrote:
> As in, locate an incident, look for that in the full capture... or alert
> on an incident, record X packerts after it or communication to/from IP
> afterwards?
>
Definitely the former. Briefly, Sguil integrates IDS alerts (Snort),
network session data (SANCP, which is similar to netflow or Argus) and
full packet data into a single GUI tool. Given an alert, it's simple to
find additional alerts, related network sessions or the actual packets.
You can also do ad hoc queries, so you can start from some other information,
like a suspect IP address or a weird network session and still locate
the other relevant data. The intent is to provide the "what next?" that
you're often left with when using traditional IDS.
If you'd like to check it out, see www.sguil.net. You could also
check out my intro presentation, or the one I did with Richard Bejtlich at
Schmoocon 2006:
http://www.vorant.com/files/nsm_with_sguil.pdf
http://www.shmoocon.org/2006/presentations/bejtlich_bianco_nsm-sguil_shmoocon06_13jan06.ppt
http://www.shmoocon.org/2006/videos/Bejtlich-Squil.mp4
David
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]