Re: Ability for SIM to perform tcp stream reassembly

[Merik Karman <merik () merik net>]

We are doing this in Australia with SenSage. It is not technically a  
SIM, more a long term data repository and search faciltiy.
It does however have some real-time capabilities in the newest version.

Anyway we record snaplen 0 tcpdump and store it in sensage and then  
find strings very quickly and then even reconstruct sessions.

Regards

MK

On 24/09/2005, at 12:19 PM, Thyrymn () gmail com wrote:

> Hello.
>
> I am currently evaluating some SIM products, however, I am having  
> difficulty getting the vendors to understand what I mean by tcp  
> stream reassembly.
>
> One of the thinfgs I want the sim to do is the be able to take raw  
> packet data -- i.e., what is in tcpdump -r  file -s0 -- search it  
> for a text string, and turn it into a file.
>
> Right now, what I have to do it take the a known time that an event  
> happened, unzip it, tcpdump -r file -w file2 <some filters here>,  
> tcpflow -r file2, and grep <string> * to find what legal has  
> requested.
>
> Anyone know of which ones having this capability built in or can  
> add it on?
>
> Thanks,
> Thy
>
> ---------------------------------------------------------------------- 
> --
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus- 
> ids_040708
> to learn more.
> ---------------------------------------------------------------------- 
> --


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------