Thursday, September 23, 2010

IDABench

One of my very favorite tools is IDABench. IDABench is a packet auditing tool using perl and tcpdump (and other libpcap based tools), based on Shadow. If you're familiar with Shadow, you know it's basic function is to capture packets into hourly dump files and give you a Web based interface to search those packets, as well as giving you a daily summary of source and destination addresses and ports. George Bakos, when he was at ISTS, the Institute for Security Technology Studies at Dartmouth, took Shadow and revamped it with Perl scripts to allow you to use ngrep, tethereal (now Wireshark's tshark) and p0f. What's even better is that IDABench is modular and can be modified to use just about any tool that can read pcap files. It runs on Linux and Apache and is a great tool for the intrusion analyst or team that looks at packets frequently. It hasn't been maintained for a number of years and as I searched for a download link, I found they all point back to ISTS and the page doesn't exist. That's a real shame, it's a very useful tool. If you're interested in trying it, let me know and I'll get the files to you...

6 comments:

Mark said...

Jeff
could i get a copy of idabench?

thanks

Mark

JeffSoh said...

Sure. I have 1.0, plus the plugins that were being worked on when the project was last supported (tethereal, p0f). I can bundle up everything I have and send it to you.

Biochrome said...

Do you still have this software available? I'd love to get my hands on whatever the latest (and any plugins you have/have written) is!

JeffSoh said...

Sure. I have the latest revision they wrote plus the plugins they were working on. It's less than 1 Mb.

Brandon Everett said...

Hi Jeff,

I studied shadow as part of my graduate studies, as I was able to get hold of the last unclassified version, but don't think I ever came across IDAbench until recently. You seem to be the only one I can find ego had it still. Even if it is not as good as other tools, can you send it to need?

Brandon

JeffSoh said...

Sure. Drop me a line to the email in my profile and I'll send it to you.

Blog Archive