Re: [Sguil-users] SANCP and Sguil
Status: Beta
Brought to you by:
bamm
From: Edward F. <edw...@gm...> - 2012-02-07 12:45:05
|
Hi Paul, On Mon, Feb 6, 2012 at 10:59 PM, Paul Marin <pma...@gm...> wrote: > I have also noticed that there is a tool called cxtracker that can > replace sancp. Do you guys recommend doing this? What are the advantages? I initially started to write cxtracker for about 3 years ago to make my sguil setup ready for IPv6, as the company I work for had deployed IPv6 network and where doing some great pioneer work in that field [1]. Sguil has not yet made room for IPv6, but I hope when or if that happens, cxtracker or prads might be a choice or maybe NetFlow or other technology will be fitted. I could have patched sancp to play with IPv6, but I did not find that the code was "clean" enough to patch it in a nice way, without rewriting it too much. So I wrote cxtracker from scratch. I also coded PRADS, along with Kacper Wysocki, which has the same functionality as cxtracker in its core (for keeping state) and so PRADS can also be used in the same way as cxtracker as an replacement for sancp :) (./prads -L /path/to/sancp/dir/) PRADS also has a a function that it can log service (like pads) and client assets to a sguil-pads compatible fifo "file" (./prads -f /path/to/pads.fifo). It also detects client and services on IPv6 (and IPv4). So, you can run prads in many ways at the same time, gathering OS, Services, Clients, and sessions. cxtracker has also another feature, which might prove useful. Thanks to Ian Firnsy, cxtracker can now also replace daemonlogger and as a bonus, it can also index where in the pcap a sessions is. On large pcap files, this can speed up the extraction time etc. [2] If you try out any of the tools, and have feedback/issues/questions, feel free to write me :) https://github.com/gamelinux/ http://www.gamelinux.org/ [1] http://fud.no/ipv6/ [2] http://www.gamelinux.org/?p=358 -- Edward Bjarte Fjellskål Senior Security Analyst http://www.gamelinux.org/ |