Re: IDS and forensics

From: ktimm (ktimm@var-log.com)
Date: Thu Jan 30 2003 - 15:29:19 PST

Next message: Dragos Ruiu: "Re: IDS and forensics"

Previous message: Christopher Howell: "Re: Identifying Win2K/XP Encrypted Files"
In reply to: William Sykes: "RE: IDS and forensics"
Next in thread: Dragos Ruiu: "Re: IDS and forensics"
Next in thread: Knut Eckstein: "Re: IDS and forensics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Actually you can get all the payload data with tcpdump by setting the
snaplen to max mtu size. You can also query much of that info from tcpdump
dump binary files. Another solution is to use snort and log everything.
There is an excellent snort configuration from the Honeynet project for
logging everything in binary format as well as breaking out sessions. It
works great for forensic use. Here is the link.
http://project.honeynet.org/papers/honeynet/tools/snort.conf

Kevin



 
 
 



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Dragos Ruiu: "Re: IDS and forensics"
Previous message: Christopher Howell: "Re: Identifying Win2K/XP Encrypted Files"
In reply to: William Sykes: "RE: IDS and forensics"
Next in thread: Dragos Ruiu: "Re: IDS and forensics"
Next in thread: Knut Eckstein: "Re: IDS and forensics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 19:02:19 PST