North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: analyse tcpdump output
- From: Netfortius
- Date: Wed Nov 22 15:40:58 2006
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:from:reply-to:to:subject:date:user-agent:cc:references:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:message-id; b=IV5NlrET2/7ie4BqHheBoBMXUTl+cJBnMFcPJkJoVV9sVydYrOshoC2Ek/27nRmlvx3cP9HRp3Xv+PJu8O9L7jzwQARK46WrCjz5jUnKYWfi7fjsFHN7Zmbmt178pv04VUsAyQUuVDk+zGr+1ZddriVC3OaSKIe8LM5sSwiTjiM=
On Wednesday 22 November 2006 09:34, Stefan Hegger wrote:
> Hi,
>
> I wonder if someone knows a tool to use a tcpdump output for anomaly
> dedection. It is sometimes really time consuming when looking for identical
> patterns in the tcpdump output.
>
> It would be helpful to get a diff between SYN and ACK's e.g. Or look for
> a pattern in a URL. Or just get some timediffs e.g. when an ACK is send but
> client is waiting for data etc.
>
> We would like to decrease time to investigate the cause for an unusual
> network behaviour.
>
> Best Stefan
Here are my suggestions:
1. [NOTE: I am biased toward this one, for some personal reasons ;)] I would
highly recommend you to read some of the papers of the gold certified SANS
people - start here:
http://www.giac.org/certified_professionals/listing/gcia_100_781.php
2. Another option is getting Richard Bejtlich's books "Intrusion
Detection ..." & "Extrusion Detection ..." and getting some ideas from that
material.
Regards,
[another] Stefan
|
