Re: Ability for SIM to perform tcp stream reassembly

From: Bamm Visscher (bamm.visscher_at_gmail.com)
Date: 09/27/05

• Previous message: Merik Karman: "Re: Ability for SIM to perform tcp stream reassembly"
• In reply to: Thyrymn_at_gmail.com: "Ability for SIM to perform tcp stream reassembly"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 27 Sep 2005 14:54:53 -0600
To: "Thyrymn@gmail.com" <Thyrymn@gmail.com>

Have you looked at what we do with sguil[0]? It provides quick access
to snort alerts, pcap, and flow data (via sancp).

Bammkkkk

[0] http://www.sguil.net

On 24 Sep 2005 02:19:35 -0000, Thyrymn@gmail.com <Thyrymn@gmail.com> wrote:
> Hello.
>
> I am currently evaluating some SIM products, however, I am having difficulty getting the vendors to understand what I mean by tcp stream reassembly.
>
> One of the thinfgs I want the sim to do is the be able to take raw packet data -- i.e., what is in tcpdump -r file -s0 -- search it for a text string, and turn it into a file.
>
> Right now, what I have to do it take the a known time that an event happened, unzip it, tcpdump -r file -w file2 <some filters here>, tcpflow -r file2, and grep <string> * to find what legal has requested.
>
> Anyone know of which ones having this capability built in or can add it on?
>
> Thanks,
> Thy
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>

--
sguil - The Analyst Console for NSM
http://sguil.sf.net
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

---

• Previous message: Merik Karman: "Re: Ability for SIM to perform tcp stream reassembly"
• In reply to: Thyrymn_at_gmail.com: "Ability for SIM to perform tcp stream reassembly"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Tracking back internal incidents to users, not IPs ... Note that I am assuming that the source is a DHCP system here (otherwise ... Note that I would take an open source or a commercial product as a ... with real-world attacks from CORE IMPACT. ... (Focus-IDS) Re: Tracking back internal incidents to users, not IPs ... Note that I am assuming that the source is a DHCP system here (otherwise ... it is much easier problem). ... with real-world attacks from CORE IMPACT. ... (Focus-IDS) Re: What type of IDS should I use? ... communication is strictly prohibited. ... with real-world attacks from CORE IMPACT. ... Do You Yahoo!? ... (Focus-IDS) SV: Bittorrent - utorrent ... As I am a contractor on the job – I could not controle their policies to whats legal and whats not – so that issue was out of the question. ... If it's not based on protocol interpretation and file type look up, ... Find out quickly and easily by testing it with real-world attacks from ... with real-world attacks from CORE IMPACT. ... (Focus-IDS) Re: Snort signature packet generator: Thanks ... Nmap is a bit too specialized. ... I've been trying to download Shmoo Group's Capture the ... >Find out quickly and easily by testing it with real-world attacks from ... >CORE IMPACT. ... (Focus-IDS)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2005-09