Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: parsing very large tcpdump files

from [Vern Paxson] Network Security [Permanent Link]
Subject: Re: parsing very large tcpdump files
Date: Sat, 20 Nov 2004 16:53:47 -0800 
1. Filter out traffic to/from a specific IP address or range
2. Reconstruct all reconstructable sessions in an easy to parse way: emails, 
web sites visited (and content uploaded/downloaded), voip, anything else 
imaginable.
3. Be able to search all of this data for keywords. 


Bro is well suited for doing this.  It has a number of relevant hooks -
tcpdump/pcap filtering (via the restrict_filters/capture_filters script
variables, or at the command line, or via the "discarder" interface when
the list is too big to do via a filter) for (1), demuxing of reassembled
streams into individual files (via the contents.bro script) and app-level
summaries for apps it knows about for (2), and app-level event handlers +
its signature engine (for apps it doesn't know about), for (3).

You can get it from bro-ids.org.  If you wind up using contents.bro, drop me
a line, as we recently fixed a bug that can cause problems when it generates
thousands of files (the current public release doesn't yet include this).

                Vern

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  IDS requirement, Raj B
Next by Date:  CRI announcement, Dave Aitel
Previous by Thread:  Re: parsing very large tcpdump files, Don Parker
Next by Thread:  RE: parsing very large tcpdump files, Michael Miller
Indexes:  [Date] [Thread] [Top] [All Lists]