We are doing this in Australia with SenSage. It is not technically a
SIM, more a long term data repository and search faciltiy.
It does however have some real-time capabilities in the newest version.
Anyway we record snaplen 0 tcpdump and store it in sensage and then
find strings very quickly and then even reconstruct sessions.
Regards
MK
On 24/09/2005, at 12:19 PM, Thyrymn@gmail.com wrote:
Hello.
I am currently evaluating some SIM products, however, I am having
difficulty getting the vendors to understand what I mean by tcp
stream reassembly.
One of the thinfgs I want the sim to do is the be able to take raw
packet data -- i.e., what is in tcpdump -r file -s0 -- search it
for a text string, and turn it into a file.
Right now, what I have to do it take the a known time that an event
happened, unzip it, tcpdump -r file -w file2 <some filters here>,
tcpflow -r file2, and grep <string> * to find what legal has
requested.
Anyone know of which ones having this capability built in or can
add it on?
Thanks,
Thy
----------------------------------------------------------------------
--
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-
ids_040708
to learn more.
----------------------------------------------------------------------
--
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
