[unisog] HTTP Session Reconstruction and Monitoring
Harris, Michael C.
HarrisMC at health.missouri.edu
Mon Nov 13 14:55:15 GMT 2006
along these same lines, we are seeking an open source Linux based
application that will take the tcpdump files from snort/acid/shadow and
do summary management reporting. Looking for statistics of sites
visited as well as bandwidth summary per destination (summary of flows)
and summary of non http and https traffic on ports 80 and 443. several
commercial appliances and bandwidth control packages have some
management reporting but I don't need another appliance in line if I can
just reprocess the history tcpdump files lagging real time for daily,
weekly and monthly reporting.
Ps I realize summary of flows and bandwidth may be problematic just
collecting header detail (first 68 bytes). How deep beyond the first 68
bytes is needed to collect the complete destination 99% of the time? And
is deeper inspection required to identify the non http and https flows
on those default ports?
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Isaac Perez
Sent: Monday, November 13, 2006 2:18 AM
To: jgiyanani at niksun.com; UNIversity Security Operations Group
Cc: unisog at lists.sans.org
Subject: Re: [unisog] HTTP Session Reconstruction and Monitoring
You can try sguil, a console for snort that that reconstruct the traffic
of the snort cached attacks.
More information about the unisog