From: Merik Karman (merikmerik.net)
Date: Mon Sep 26 2005 - 17:23:32 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We are doing this in Australia with SenSage. It is not technically a
SIM, more a long term data repository and search faciltiy.
It does however have some real-time capabilities in the newest version.

Anyway we record snaplen 0 tcpdump and store it in sensage and then
find strings very quickly and then even reconstruct sessions.

Regards

MK

On 24/09/2005, at 12:19 PM, Thyrymngmail.com wrote:

> Hello.
>
> I am currently evaluating some SIM products, however, I am having
> difficulty getting the vendors to understand what I mean by tcp
> stream reassembly.
>
> One of the thinfgs I want the sim to do is the be able to take raw
> packet data -- i.e., what is in tcpdump -r file -s0 -- search it
> for a text string, and turn it into a file.
>
> Right now, what I have to do it take the a known time that an event
> happened, unzip it, tcpdump -r file -w file2 <some filters here>,
> tcpflow -r file2, and grep <string> * to find what legal has
> requested.
>
> Anyone know of which ones having this capability built in or can
> add it on?
>
> Thanks,
> Thy
>
> ----------------------------------------------------------------------
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-
> ids_040708
> to learn more.
> ----------------------------------------------------------------------
> --
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]