[Dailydave] halvar, record gigabit networking? IDS for forensics?
David J. Bianco
david at vorant.com
Fri Nov 17 18:10:15 Local tim 2006
Gadi Evron wrote:
> As in, locate an incident, look for that in the full capture... or alert
> on an incident, record X packerts after it or communication to/from IP
> afterwards?
>
Definitely the former. Briefly, Sguil integrates IDS alerts (Snort),
network session data (SANCP, which is similar to netflow or Argus) and
full packet data into a single GUI tool. Given an alert, it's simple to
find additional alerts, related network sessions or the actual packets.
You can also do ad hoc queries, so you can start from some other information,
like a suspect IP address or a weird network session and still locate
the other relevant data. The intent is to provide the "what next?" that
you're often left with when using traditional IDS.
If you'd like to check it out, see www.sguil.net. You could also
check out my intro presentation, or the one I did with Richard Bejtlich at
Schmoocon 2006:
http://www.vorant.com/files/nsm_with_sguil.pdf
http://www.shmoocon.org/2006/presentations/bejtlich_bianco_nsm-sguil_shmoocon06_13jan06.ppt
http://www.shmoocon.org/2006/videos/Bejtlich-Squil.mp4
David
More information about the Dailydave
mailing list