Re: [fw-wiz] Taking a traffic snapshot with network IDS

Yack, Daniel wrote:
I realize this is a pretty simple problem – but getting back to basics is always a good thing. I do have some linux experience, but am not a ‘power user’. Any ideas on tools or what to use for this? An IDS/IPS is probably the answer here, right?

I think you might want to look at things like argus, urlsniff, and
wireshark for your data-gathering, if data is what you're
after. What an IDS does is gives you its notion of what it saw,
based on its rules (i.e.: the preconceptions of whoever wrote the
IDS' rule-base) If you're trying to do discovery, you want the
undigested raw data, or something closer to it.

That said, an IDS can be turned into one heck of a nice data-gathering
device if it's programmed to collect and report on events rather than
to look specifically for intrusions. I.e.: a DNS logging signature
set, URL logging signatures, DHCP logging, connectivity tracking,
usage statistics, etc. There might be some snort signature-sets out
there for logging and collection and those would be a good place to
start.

mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards