|
Many people use open source intrusion detection tools, but most
concentrate on collecting only alert data. To fully investigate
incidents, alert data must be supplemented by session and full content
data. Without this complementary information, it's seldom possible to
validate and escalate security events without performing host-based
forensics or other time-intensive tasks. Sguil (http://sguil.sf.net) is an open source interface to all three
types of network-based evidence. It was developed on FreeBSD but is
also deployed on OpenBSD and Linux. This talk will explain the sorts of
data one can collect and examine using short case studies from real
world traffic. It will conclude with a live demo of Sguil on FreeBSD.
speaker not assigned location: TBA
|
