Re: IDS and forensics

From: Simson L. Garfinkel <simsong(at)lcs.mit.edu>
Date: Mon Jan 27 2003 - 16:31:54 EST

Greetings.

As a disclaimer, I should say that I'm on the board of Sandstorm Enterprises. With that said...

If you are interested in doing network forensics, you should really take a look at Sandstorm's NetIntercept --- especially if you like Ethereal. Like Ethereal, NetIntercept runs a version of pcap to capture packets onto a computer's disk, and then has some reasonable tools for automatically starting new files and purging out old ones. but unlike Ethereal, NI allows you to select a region of time and reassemble all of the TCP/IP streams and UDP sessions within that region. The assembled streams are then run through parsers (written in C) and the results are stored in a database (MySQL). The GUI then allows you to view the results of the parsers, do database selections, view individual streams, view individual packets, and more.

For somebody working with a tight budget, Ethereal has the advantage that it is free. NI is a commercial product, sold with bundled hardware. But for professionals who are doing forensics, NI has a lot to offer.

Other products in this space of Network Forensics are Silent Runner, NFR and Niksun.

The folks at Sandstorm wrote a technical, peer-reviewed article on Network Forensic Analysis Tools and recently had it published in IEEE Internet Computing.

You can download the article from
http://www.sandstorm.net/downloads/netintercept/ni-ieee.pdf . It's not an advertisement for NetIntercept.

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Jan 27 16:56:18 2003