Re: parsing very large tcpdump files

From: Vern Paxson (vern_at_icir.org)
Date: 11/21/04

  • Next message: Kevin Johnson: "BASE 1.0 Release"
    To: digitalevidence@excite.com
    Date: Sat, 20 Nov 2004 16:53:47 -0800
    
    

    > 1. Filter out traffic to/from a specific IP address or range
    > 2. Reconstruct all reconstructable sessions in an easy to parse way: emails, web sites visited (and content uploaded/downloaded), voip, anything else imaginable.
    > 3. Be able to search all of this data for keywords.

    Bro is well suited for doing this. It has a number of relevant hooks -
    tcpdump/pcap filtering (via the restrict_filters/capture_filters script
    variables, or at the command line, or via the "discarder" interface when
    the list is too big to do via a filter) for (1), demuxing of reassembled
    streams into individual files (via the contents.bro script) and app-level
    summaries for apps it knows about for (2), and app-level event handlers +
    its signature engine (for apps it doesn't know about), for (3).

    You can get it from bro-ids.org. If you wind up using contents.bro, drop me
    a line, as we recently fixed a bug that can cause problems when it generates
    thousands of files (the current public release doesn't yet include this).

                    Vern

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------


  • Next message: Kevin Johnson: "BASE 1.0 Release"

    Relevant Pages

    • Re: [PHP] Looking for a reasonable explanation as to why $_REQUEST exists
      ... Filter your input ... Sanity check your input/fill in your own default value if one is requied ... -had- to mix their POST/GET data. ... I've never had to do it and I've coded a variety of apps, ...
      (php.general)
    • Re: Looking for Advice About Installing Lion
      ... I successfully installed Lion on my external drive. ... And the installer allowed me to migrate all my apps and their associated files, so I was able to easily test the different apps under Lion. ... I also stil find that launching apps using Spotlight is much better than Launchbar, ... I've tried searching a few times on the new version and one time I did see a little button in the search menu that let me filter the search. ...
      (comp.sys.mac.system)
    • Re: Get GUID of upstream filter
      ... apps where filters were included directly in the source ... Every filter must implement IPersist::GetClassIDin order ... CLSID is valid is another story but there is no guarantee ... a valid GUID instead of copying somebody else's). ...
      (microsoft.public.win32.programmer.directx.video)
    • Re: Get GUID of upstream filter
      ... there is no guarantee that the next filter above you is a COM ... I've built several apps where filters were included ... // Get pin info to find its filter. ... // Fetch the GUID. ...
      (microsoft.public.win32.programmer.directx.video)
    • Re: printcap configuration problem
      ... filter to do what is desired. ... so it's easy to select features according to ... duplex or tray selection; ... individual files. ...
      (freebsd-questions)