Re: [Sguil-users] SANCP and Sguil
Status: Beta
Brought to you by:
bamm
From: Jeremy H. <jt...@gm...> - 2012-02-07 14:48:52
|
Thanks for the update on the tools info. Quick quesiton - So with the overlap of the tools (cx and prads) which do you prefer.recommend for which tasks? Is CX better at sessions then prads or is deamonlogger good enough for pcap and then use prads for host and sessions? On Tue, Feb 7, 2012 at 12:44 PM, Edward Fjellskål <edw...@gm...> wrote: > Hi Paul, > > On Mon, Feb 6, 2012 at 10:59 PM, Paul Marin <pma...@gm...> wrote: >> I have also noticed that there is a tool called cxtracker that can >> replace sancp. Do you guys recommend doing this? What are the advantages? > > I initially started to write cxtracker for about 3 years ago to make > my sguil setup ready for IPv6, > as the company I work for had deployed IPv6 network and where doing > some great pioneer work > in that field [1]. Sguil has not yet made room for IPv6, but I hope > when or if that happens, cxtracker > or prads might be a choice or maybe NetFlow or other technology will be fitted. > > I could have patched sancp to play with IPv6, but I did not find that > the code was "clean" > enough to patch it in a nice way, without rewriting it too much. So I > wrote cxtracker from scratch. > > I also coded PRADS, along with Kacper Wysocki, which has the same > functionality as cxtracker > in its core (for keeping state) and so PRADS can also be used in the > same way as cxtracker > as an replacement for sancp :) (./prads -L /path/to/sancp/dir/) > > PRADS also has a a function that it can log service (like pads) and > client assets to a sguil-pads > compatible fifo "file" (./prads -f /path/to/pads.fifo). It also > detects client and services on IPv6 (and > IPv4). > > So, you can run prads in many ways at the same time, gathering OS, > Services, Clients, and > sessions. > > cxtracker has also another feature, which might prove useful. Thanks > to Ian Firnsy, cxtracker can > now also replace daemonlogger and as a bonus, it can also index where > in the pcap a sessions is. > On large pcap files, this can speed up the extraction time etc. [2] > > If you try out any of the tools, and have feedback/issues/questions, > feel free to write me :) > https://github.com/gamelinux/ > http://www.gamelinux.org/ > > > [1] http://fud.no/ipv6/ > [2] http://www.gamelinux.org/?p=358 > > > -- > Edward Bjarte Fjellskål > Senior Security Analyst > http://www.gamelinux.org/ > > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users |