Have you looked at what we do with sguil[0]? It provides quick access to snort alerts, pcap, and flow data (via sancp).
Bammkkkk [0] http://www.sguil.net On 24 Sep 2005 02:19:35 -0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Hello. > > I am currently evaluating some SIM products, however, I am having difficulty > getting the vendors to understand what I mean by tcp stream reassembly. > > One of the thinfgs I want the sim to do is the be able to take raw packet > data -- i.e., what is in tcpdump -r file -s0 -- search it for a text string, > and turn it into a file. > > Right now, what I have to do it take the a known time that an event happened, > unzip it, tcpdump -r file -w file2 <some filters here>, tcpflow -r file2, and > grep <string> * to find what legal has requested. > > Anyone know of which ones having this capability built in or can add it on? > > Thanks, > Thy > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > -- sguil - The Analyst Console for NSM http://sguil.sf.net ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
