Terje,
Just a thought - If you have a lot of these files it might be easier to process them in TCPdump format, as there are more command-line (scriptable!) tools that will parse the data for you. There is an option in BlackICE that will do this for you, but since you already have the data... Perhaps someone can suggest a tool that does packet capture file conversions efficiently?
 
To kludge the conversion with Blackice itself - the following, in theory as I understand it, should work.. reparse the evidence files with a copy of the blackice engine to them into get .tcp format, then you can use tcpdump or whatever command line tool you want to parse your data all day long. Remember, since those are only evidence files (as opposed to full packet captures) it may not have everything you need..
 
- stop blackice engine, make a copy of BlackICE in a separate folder. Add 'evidence.filesuffix=.tcp' to the blackice.ini file
- rerun the evidence file through BlackICE engine via the -r command: blackd.exe -r evd001.enc
 
To do on several enc files this may work:
for %n in (evd*.enc) do blackice.exe -r %n
 
To view as text follow that with
for %n in (evd*.tcp) do windump -n -X -r %n >>output.txt
 
-Tom
 
-----Original Message-----
From: Rich Shinnick [mailto:richstigroup.net]
Sent: Friday, January 10, 2003 11:48 AM
To: 'Terje Thøgersen'; ISSForumiss.net
Subject: RE: [ISSForum] Reading an evd000.enc file

Try netmon.exe from Microsoft. This is the Network Monitor software, which can read .enc files.

Regards,
                                                                                    

Richard J. Shinnick - Senior Partner
Secure Technology Integration Group, Ltd.
Ansonia Station - P.O. Box 237165
New York, NY 10023
                                                                                    

OFFICE: 212.340.9488 HOME: 201.236.9371
CELL: 201.220.7484 FAX: 646.349.4616
                                                                                   

This message, and any attachments to it, contains confidential, proprietary and/or legally privileged information and must not, directly or indirectly, be disclosed, used, copied, or transmitted in any form or by any means without prior written permission from Secure Technology Integration Group, Ltd. (STIGroup). If you are not the intended recipient, delete the message and any attachments from your system without reading or copying it, destroy any hard copies of it, and kindly notify the sender by e-mail. STIGroup reserves the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. Thank you.

-----Original Message-----
From: issforum-adminiss.net [ mailto:issforum-adminiss.net <mailto:issforum-adminiss.net> ] On Behalf Of Terje Thøgersen
Sent: Friday, January 10, 2003 8:20 AM
To: ISSForumiss.net
Subject: [ISSForum] Reading an evd000.enc file

Hi all,

Some time ago, I purchased hosting-services from an external company. The servers were protected with BlackICE.

We had a massive attack on the servers, and in connection
with the trial of the perpetrators, we need to read the logs.

Sadly, the hosting-company is now bankrupt, and the personnell spread all over. There's no help available from them.

We have some files of type evd000.enc, that we need to look into. Ideally, we'd like the file dumped to text or .csv.

I bought BlackICE for PC's, expecting this to work, but
this program seems to have a different log format.

Do you have any suggestions?

  -Terje

______________________________________
Terje Thøgersen
IS Direktør/CIO, Netaxept AS
Mob: (+47) 908 25 456
Tel: (+47) 815 00 545
Fax: (+47) 22 83 03 30
Adr: Tjuvholmen 1, 0250 Oslo, Norway

_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo <https://atla-mm1.iss.net/mailman/listinfo>

_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]