I'm often asked if doing intrusion analysis requires a lot of high-cost tools
(actually I don't recall anyone ever asking that of me, but it sounded good as a
lead in to this topic). The answer, if someone SHOULD ask me that, is no, it
doesn't have to.
After identifying alerts of interest, my current tool kit for analysis includes the following:
- Snorby: Open source front end to snort databases. I just recently started using this instead of BASE
- IDABench: Packet auditing system written by George Bakos, based on Shadow.
(Hasn't been actively supported since 2003, but still works fine. Going to look at OpenFPC as a possible replacement.)
- ngrep: The ever popular packet grepper from Jordan Ritter.
- Wireshark. The best free protocol analyzer available
- xtractr - packet indexer from Mu Dynamics
- Netwitness Investigator - packet indexer/search tool from NetWitness Corporation
- p0f, tcpdump, dsniff, chaosreader, and other various cmd line tools
All of those tools are open-source and freely available. Of course, we use multiple commercial IDS systems and a SIEM and a commercial log analyzer, but all the tools I use to do actual analysis are free.
Does that answer the question you didn't ask? Good!
Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.
2 comments:
Did you try xplico? Network forensic...
I have not, but I've seen it mentioned. Will have to try that one out. Thanks!
Post a Comment