Re: WFA and network forensics

From: kris carlier (krisat_private)
Date: Tue Jul 29 2003 - 11:38:11 PDT

Next message: Reava, Jeffrey [IT/0200]: "RE: WFA and network forensics"

Previous message: J: "WFA and network forensics"
In reply to: J: "WFA and network forensics"
Next in thread: Reava, Jeffrey [IT/0200]: "RE: WFA and network forensics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi JJ,

>
> I'm not sure if this is the right place for this, but I'm giving it a shot anyway.
>
> I've got web traffic logs for our users.  In a WFA case, I need to be able to pull an individual employee's activity out of our logs and categorize the sites visited by said soon-to-be-ex-employee by site type.  For instance:
>
> safe-mail.net  = Web-based email
> google.com     = Search site
> foxnews.com    = News
> weather.com    = Weather
> whitehouse.com = Adult entertainment
>
> I know a lot of the filtering suites out there do this kind of categorization, but I just need a good, often-updated category list by domain name so that I can grab the connection request heading to an IP and do a rough categorization based on what that IP resolves to.
>
> I also want to roll this category list into our post-WFA forensic analysis procedures so I can give a categorized report along with the actual system and evidence images.
>
> Any ideas?
>
> I figure this roughly fits into the kind of work some of us do, a.k.a.
> finding out what people do when they use our computers in ways that
> aren't intended.


I'm glad at least your question got through the moderator's scrutiny,
perhaps mine won't.
Not sure whether this is something you want to cope with, since you risk
getting loads of false negatives. E.g. go anywhere these days, where you
can download free pr0n, if you've got an account with plenty of free
webspace available, you may get yourself a free subscription by just
making available your webspace. Good for you and me, but for
categorization this may mean you're getting 1 line for e.g.
www.sexparty.tv - perhaps the user was tricked into this ? - followed by a
series of users.skynet.be/~somebody/1.mpg etc files.
It of course all depends upon the number of lines you're analysing, but
even on relatively small sites (like the one I've been doing till the end
of last year) you may have several millions of objects per day (lines). If
you can correctly categorize a small amount of it, perfect...

Suggestion: google for "Fabrice Prigent squidguard" and you'll find some
hints

kr=


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Reava, Jeffrey [IT/0200]: "RE: WFA and network forensics"
Previous message: J: "WFA and network forensics"
In reply to: J: "WFA and network forensics"
Next in thread: Reava, Jeffrey [IT/0200]: "RE: WFA and network forensics"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 30 2003 - 17:11:50 PDT