[conspire] BayLISA Special Event - Mar 30 - Meeting at Yahoo HQ, Sunnyvale
sigje at sigje.org
Fri Mar 10 14:36:55 PST 2006
BayLISA's March Special Event
When: March 30, 2006
Where: Yahoo HQ Bldg C Classroom 5, 701 First Ave, Sunnyvale CA 94089
RSVP: http://www.mollyguard.com/event/26459140 or mail to
rsvp at baylisa.org
Topic: NSM and Argus
Speaker: Rik Farrow
Network Security Monitoring (NSM) is the technique developed by Richard
Bejtlich (The Tao of Network Security Monitoring, AW 2004). In brief, NSM
means to capture network traffic at four different levels, to provide a
security analyst with the greatest, and most useful, amount of
informantion for analyzing security events.
In this presentation, I will outline how NSM works, its benefits, then
focus on the one tool that Richard recommends using even if the rest of
his system gets ignored. Argus is a session data collector, a tool that
collects packet headers and converts them into succinct transaction
records. Argus allows you to see which IP addresses communicate, how much
data was sent, the ports used, and TCP states for the transaction. While
argus itself is easy to use, it produces binary output which must be
translate using ra (report argus). You can even start using argus after an
incident has occurred, because the network traces will help you to
identify involved hosts.
I will demonstrate argus and show how you can use ra and scripts to
uncover compromised hosts in your networks.
If there is enough interest, we can end with a discussion about the future
of network security.
More information about the conspire