Re: [logs] Tcpdump log analysis

From: Anderson Johnston (andyat_private)
Date: Thu Feb 20 2003 - 14:34:46 PST

  • Next message: Rainer Gerhards: "RE: [logs] RE: Windows Event Log Attack Signatures"

    It depends a lot on what you are looking for and how you are looking.  If
    you are interested in examining each packet - or many of them, at least -
    in detail, then Ethereal would be my pick.  I use it when I'm looking at
    crafted packets or when I'm peering into a particular, higher-level,
    packet format.  Ethereal is particularly nice for the latter since it
    recognizes a variety of application layer formatting (AIM, IRC, etc.) and
    will display the parsing at any and all layers you like.
    If you are interested in finding out who is banging on your door but not
    so much in the anatomy of each packet, Snort will let you sort, filter,
    tag and store both packets and packet reports.  It also has a great array
    of plug-ins to help you identify what's happening.
    If you are looking for something really specific in content, particularly
    text, Ngrep is a handy tool.  The output format is more compact than Snort
    and emphasizes the display of readable text (or hex, if you want it).  It
    takes regex expressions and BPF filters as arguments, in that order.
    Unlike Snort, you can do content matching from the command line.  The
    regex can be touchy, so double-check with test cases.
    Finally, if you have Cisco equipment and are interested in establishing
    common traffic patterns and looking for large anomalies, net-flow provides
    tools for network management which can be used as a low-resolution (though
    still quite useful) NIDS.
    Hope this helps.
    					Good Luck!
    						- Andy Johnston
    On Thu, 20 Feb 2003, Fabien Pouget wrote:
    > Hi all,
    > I collected many binary logs with tcpdump. I would like to study them
    > and to do so, I planned to export these files into a mysql database.
    > What I am doing now is simply to collect few data through perl scripts
    > and analyze them. But no database...
    > Does it exist any tools to help me fulfil this task ? Or any trick I
    > missed ?
    > Any help would be very appreciated
    > Thanks a lot
    > Fabien
    > _______________________________________________
    > LogAnalysis mailing list
    > LogAnalysisat_private
    ** Andy Johnston (andyat_private)          *            pager: 410-678-8949  **
    ** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
    ** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
    ** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Feb 20 2003 - 14:43:31 PST