[conspire] BayLISA Special Event - Mar 30 - Meeting at Yahoo HQ, Sunnyvale

Jennifer Davis sigje at sigje.org
Fri Mar 10 14:36:55 PST 2006

  BayLISA's March Special Event

  When: March 30, 2006
  Where: Yahoo HQ Bldg C Classroom 5, 701 First Ave, Sunnyvale CA 94089
  RSVP: http://www.mollyguard.com/event/26459140 or mail to 
rsvp at baylisa.org

  Topic: NSM and Argus
  Speaker: Rik Farrow

  Network Security Monitoring (NSM) is the technique developed by Richard 
Bejtlich (The Tao of Network Security Monitoring, AW 2004). In brief, NSM 
means to capture network traffic at four different levels, to provide a 
security analyst with the greatest, and most useful, amount of 
informantion for analyzing security events.

In this presentation, I will outline how NSM works, its benefits, then 
focus on the one tool that Richard recommends using even if the rest of 
his system gets ignored. Argus is a session data collector, a tool that 
collects packet headers and converts them into succinct transaction 
records. Argus allows you to see which IP addresses communicate, how much 
data was sent, the ports used, and TCP states for the transaction. While 
argus itself is easy to use, it produces binary output which must be 
translate using ra (report argus). You can even start using argus after an 
incident has occurred, because the network traces will help you to 
identify involved hosts.

I will demonstrate argus and show how you can use ra and scripts to 
uncover compromised hosts in your networks.

If there is enough interest, we can end with a discussion about the future 
of network security.

More information about the conspire mailing list