Hosting Provided By

Re: IDS and forensics

From: ktimm <ktimm(at)var-log.com>
Date: Thu Jan 30 2003 - 18:29:19 EST

Actually you can get all the payload data with tcpdump by setting the snaplen to max mtu size. You can also query much of that info from tcpdump dump binary files. Another solution is to use snort and log everything. There is an excellent snort configuration from the Honeynet project for logging everything in binary format as well as breaking out sessions. It works great for forensic use. Here is the link. http://project.honeynet.org/papers/honeynet/tools/snort.conf

Kevin

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Jan 30 22:02:35 2003

This message: [ Message body ]
Next message: Dragos Ruiu: "Re: IDS and forensics"
Previous message: Christopher Howell: "Re: Identifying Win2K/XP Encrypted Files"
In reply to: William Sykes: "RE: IDS and forensics"
Next in thread: Dragos Ruiu: "Re: IDS and forensics"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:43 EDT