| Curious what others are using for full packet capturing and what you think best practices/methods are. I'm currently using daemonlogger and bash scripts to pull the relevant packets. I've used Shadow (long ago) and IDABench in the past. Did a test run of OpenFPC but didn't have much success with it on my Fedora boxes. Any using any commercial products? |
JeffSoh 31 Posts |
| thread locked Quote Subscribe |
Jul 30th 2013 8 years ago |
| using snort or tcpdump with the -C switch will work. Or look at "Moloch" (github.com/aol/… ) for a more complete solution. |
Johannes 4477 Posts ISC Handler |
| Thread locked. Quote |
Jul 31st 2013 8 years ago |
| I am also using daemonlogger to implement a circular buffer of full packet captures. I have a custom application which watches snort and other logs for "important" events. When one happens, it goes to the pcap files, extracts the event as a flow and notifies the security team for analysis. This is all automated, there is no way we can watch this all manually (about 2GB per minute of pcaps) |
Skip Carter 4 Posts |
| Thread locked. Quote |
Aug 2nd 2013 8 years ago |
| that custom script sounds quite nice. I think I need to implement that as well. |
Johannes 4477 Posts ISC Handler |
| Thread locked. Quote |
Aug 2nd 2013 8 years ago |
| We mirror ports on a switch and simply run wireshark in whatever OS we need to use. It is brute force but very effective. We test wireless, wired connections very frequently with it. I am sure it would capture pretty much anything else we attached our system to. We even recently (last week) used this same system to capture packets from cellular modems. Not sure if this what you are looking for or not. |
Big "E" 9 Posts |
| Thread locked. Quote |
Oct 11th 2013 8 years ago |
| you will decide that you just would like your laptoplaptop pcportable computer laptop computer or computer within the geographic point, or to require house with you, within the room, or perhaps at the library. wherever it's, your laptoplaptop pcportable computer laptop computer or computer sleeve can guarantee its safety in the least times.You presumably have already got many baggage that you just area unit needed to require with you all over whether or not it's a backpack, a purse, or perhaps a case.in http://www.mmogoogle.com/ |
Anonymous |
| Thread locked. Quote |
Nov 21st 2013 8 years ago |
| We're using Moloch now. Best solution we've come across so far. (Thanks for the tip, Dr. Ullrich). My boss came across it too and he built the Elastic Search back end and we replaced daemonlogger with it, box by box. Ran into a snag with v. 0.9.1 where the capture process would stop writing out to the pcap; v. 0.9.2 seems to have fixed this. It's very fast, good search capabilities, reconstructs files and images natively and has dozens of meta-indexed fields to search on. With a good IDS, Splunk with lots of log files feeding into it, and taps doing full packet capturing feeding Moloch, you've got a pretty rocking NSM, assuming you give Moloch and Splunk the horsepower they need to index all that data. |
JeffSoh 31 Posts |
| Thread locked. Quote |
Nov 26th 2013 8 years ago |
| Sounds like you wrote a Regex script to pull pcaps on signature events from Snort. Just make sure you always pull pcaps from around that event. Don't assume that you are seeing the full attack/event from one pcap. |
Anonymous - |
| Thread locked. Quote |
Feb 28th 2014 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
