Attackers have taken this lesson as well, and often enough it is precisely the data that would make pcap valuable that is encrypted. Defenders advocate network encryption, such as discussed in Chapter 8. Unfortunately, network payload traffic is often obscured. On the other hand, packet capture is the only way to reconstruct the exact details of an attack, which makes it an important tool. Retention of sufficient packet capture data so that it can be analytically useful is a challenge. As discussed before, many if not most intrusions are not detected for weeks. A common corporate link of 10 gigabits could fill the same space in less than 14 minutes. 3 This is the most voluminous network analysis option even a rather modest 100-megabit link-a good and common residential connection in 2013-could fill up a terabyte of hard drive space in just 22 hours. The results are often colloquially referred to by their file extension: pcap. Spring, in Introduction to Information Security, 2014 Full-Packet Captureįull-packet capture is any technology that records every bit that goes over the wire for later inspection. The resulting pcap file is the same as if Snort had been run with the –b command-line option or the tcpdump output plug-in. Since the pcap file does not contain any of the alert information associated with the packet, the log_pcap output plug-in is most useful for extracting the packet data for analysis in another tool. It is important to remember that the timestamp only indicates when the file was created and does not necessarily represent the timestamps of any of the data in it. For example, if log_pcap is configured with the default settings and were to open an output file now (Thu Mar 18 21:44:), then the output file would be named 21-44-12. The timestamp indicates when the output file was created using the local time zone. So, what happens if the output file already exists? To avoid overwriting any existing output file, Barnyard adds a timestamp extension to the filename. This is because a pcap file must include specific header information. The log_pcap output plug-in, however, will always create a new output file. So far, all of the output plug-ins that write to a file will append to the current file if it already exists. The output file for log_pcap differs a bit from the other file-based output plug-ins we have discussed. If the filename option is not specified, then “barnyard.pcap” will be used.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |