RE: [ISSForum] Reading an evd000.enc file

Chmielarski TOM-ATC090 Mon, 13 Jan 2003 12:52:04 -0800

Title: Message

Terje,

Just a thought - If you have a lot of these files it might be easier to process them in TCPdump format, as there are more command-line (scriptable!) tools that will parse the data for you. There is an option in BlackICE that will do this for you, but since you already have the data... Perhaps someone can suggest a tool that does packet capture file conversions efficiently?

To kludge the conversion with Blackice itself - the following, in theory as I understand it, should work.. reparse the evidence files with a copy of the blackice engine to them into get .tcp format, then you can use tcpdump or whatever command line tool you want to parse your data all day long. Remember, since those are only evidence files (as opposed to full packet captures) it may not have everything you need..

- stop blackice engine, make a copy of BlackICE in a separate folder. Add 'evidence.filesuffix=.tcp' to the blackice.ini file

- rerun the evidence file through BlackICE engine via the -r command: blackd.exe -r evd001.enc

To do on several enc files this may work:

for %n in (evd*.enc) do blackice.exe -r %n

To view as text follow that with

for %n in (evd*.tcp) do windump -n -X -r %n >>output.txt

-Tom

-----Original Message-----
From: Rich Shinnick [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 10, 2003 11:48 AM
To: 'Terje Th�gersen'; [EMAIL PROTECTED]
Subject: RE: [ISSForum] Reading an evd000.enc file

Try netmon.exe from Microsoft. This is the Network Monitor software, which can read .enc files.

Regards,

Richard J. Shinnick - Senior Partner
Secure Technology Integration Group, Ltd.
Ansonia Station - P.O. Box 237165
New York, NY 10023

OFFICE: 212.340.9488     HOME:   201.236.9371
CELL:       201.220.7484     FAX:       646.349.4616

This message, and any attachments to it, contains confidential, proprietary and/or legally privileged information and must not, directly or indirectly, be disclosed, used, copied, or transmitted in any form or by any means without prior written permission from Secure Technology Integration Group, Ltd. (STIGroup). If you are not the intended recipient, delete the message and any attachments from your system without reading or copying it, destroy any hard copies of it, and kindly notify the sender by e-mail. STIGroup reserves the right to monitor all e-mail communications through its networks. Any views expressed in this message are those of the individual sender, except where the message states otherwise and the sender is authorized to state them to be the views of any such entity. Thank you.

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Terje Th�gersen
Sent: Friday, January 10, 2003 8:20 AM
To: [EMAIL PROTECTED]
Subject: [ISSForum] Reading an evd000.enc file

Hi all,

Some time ago, I purchased hosting-services from an external company. The servers were protected with BlackICE.

We had a massive attack on the servers, and in connection
with the trial of the perpetrators, we need to read the logs.

Sadly, the hosting-company is now bankrupt, and the personnell spread all over. There's no help available from them.

We have some files of type evd000.enc, that we need to look into. Ideally, we'd like the file dumped to text or .csv.

I bought BlackICE for PC's, expecting this to work, but
this program seems to have a different log format.

Do you have any suggestions?

-Terje

______________________________________
Terje Th�gersen
IS Direkt�r/CIO, Netaxept AS
Mob: (+47) 908 25 456
Tel: (+47) 815 00 545
Fax: (+47) 22 83 03 30
Adr: Tjuvholmen 1, 0250 Oslo, Norway

_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo

RE: [ISSForum] Reading an evd000.enc file

Reply via email to