Re: [Sguil-users] SANCP and Sguil
Status: Beta
Brought to you by:
bamm
From: E. F. <edw...@gm...> - 2012-02-07 16:10:43
|
On 02/07/2012 03:48 PM, Jeremy Hoel wrote: > Thanks for the update on the tools info. Quick quesiton - > > So with the overlap of the tools (cx and prads) which do you > prefer.recommend for which tasks? Is CX better at sessions then prads > or is deamonlogger good enough for pcap and then use prads for host > and sessions? Well, I haven't made any conscious thoughts on that, as I use both in different setups. Using prads for sancp and pads substitution I guess makes things easier. But on most sensors I use prads for just assets and cxtracker for sessions. Thats mostly because in a redo of the prads code, the cxtracker output "went" away for a while. Its back now though :) The connection tracking code is more or less the same in prads, cxtracker, passivedns and nftracker (just prads and cxtracker that prints it out though). cxtracker gives you a bit more freedom, but for use with sguil, without the pcaping, prads and cxtracker are more or less the same. I guess you save some cycles on just using prads for both. E |