mailing list archives
From: Will Metcalf <william.metcalf () gmail com>
Date: Tue, 14 Sep 2010 15:48:00 -0500
Whatever you do I would make sure that you have the following
complimentary technologies as IDS alerts alone generally don't mean
squat without context surrounding them.
1. Huge rotating Full-Content packet capture (disk space is cheap
these days), from which you can extract info based on IDS events or
via custom BPF's.
2. Flow logging that you will retain for much, much longer than your
3. Centralized Logging of OS, Application, FW, logs etc that can be
queried ad hoc. I was broke couldn't even afford splunk so enabled the
OSSEC logall option and wrote a web front end to zgrep that allowed
for stacked queries.
4. Tools to make quick work of the extracted pcap and flow data.
Plenty have been mentioned recently on the list.
If you decide to go the open source route for one or all of these
things. Here is some info that might be helpful that I cut from a
presentation I did a few months ago.
Full content packet capture..
PF_RING (Make the rest of the apps below go faster)
My Quick look at Zero-Copy BPF for Suricata in FreeBSD 8.
OpenFPC (looks pretty slick! Haven't played with it yet)
tcpdump (supports setting pcap buff size via -B and uses option
similar to phil woods mmap patch since libpcap 1.0 if kernel supports
(There are others, but this is the best IMHO.
Good for on-demand stats)
Tools to use for analysis of full content packet captures.
My dumb little pcap parser (Simply applies user provided bpf to
multiple rotating pcaps. Uses argus as indexing.)
ChoasReader(Amazing.. perl, 6 years old, still handy)
ngrep(simple string and regex matching for packets)
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
Main Web Site: http://pauldotcom.com