Hosting Provided By

RE: WFA and network forensics

From: Reava, Jeffrey [IT/0200] <jeffrey.reava(at)pharmacia.com>
Date: Tue Jul 29 2003 - 14:49:35 EDT

have you looked at the open directory project http://www.dmoz.org?

If you type in the domain name, it comes back with one or more open directory categories. Some may be useful, others less so. It probably wouldn't take much to screen scrape the output into something useful.

Jeff

-----Original Message-----

From: JJ [mailto:jjhorner@SAFe-mail.net] Sent: Tuesday, July 29, 2003 12:23 PM
To: forensics@securityfocus.com
Subject: WFA and network forensics

I'm not sure if this is the right place for this, but I'm giving it a shot anyway.

I've got web traffic logs for our users. In a WFA case, I need to be able to pull an individual employee's activity out of our logs and categorize the sites visited by said soon-to-be-ex-employee by site type. For instance:

safe-mail.net  = Web-based email
google.com     = Search site
foxnews.com    = News
weather.com    = Weather
whitehouse.com = Adult entertainment

I know a lot of the filtering suites out there do this kind of categorization, but I just need a good, often-updated category list by domain name so that I can grab the connection request heading to an IP and do a rough categorization based on what that IP resolves to.

Do you need help?

I also want to roll this category list into our post-WFA forensic analysis procedures so I can give a categorized report along with the actual system and evidence images.

Any ideas?

I figure this roughly fits into the kind of work some of us do, a.k.a. finding out what people do when they use our computers in ways that aren't intended.

Thanks,
JJ

J. J. Horner
CISSP,CCNA,CHSS,CHP

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This communication is intended solely for the use of the addressee and may contain information that is legally privileged, confidential or exempt from disclosure. If you are not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. Anyone who receives this message in error should notify the sender immediately and delete it from his or her computer.

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Wed Jul 30 20:12:55 2003

This message: [ Message body ]
Next message: Robert Buckley: "RE: WFA and network forensics"
Previous message: kris carlier: "Re: WFA and network forensics"
Maybe in reply to: JJ: "WFA and network forensics"
Reply: Robert Buckley: "RE: WFA and network forensics"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:44 EDT