On Wednesday 22 November 2006 09:34, Stefan Hegger wrote:
Hi,
I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output.
It would be helpful to get a diff between SYN and ACK's e.g. Or look for a pattern in a URL. Or just get some timediffs e.g. when an ACK is send but client is waiting for data etc.
We would like to decrease time to investigate the cause for an unusual network behaviour.
Best Stefan
Here are my suggestions: 1. [NOTE: I am biased toward this one, for some personal reasons ;)] I would highly recommend you to read some of the papers of the gold certified SANS people - start here: http://www.giac.org/certified_professionals/listing/gcia_100_781.php 2. Another option is getting Richard Bejtlich's books "Intrusion Detection ..." & "Extrusion Detection ..." and getting some ideas from that material. Regards, [another] Stefan