D 2010-12-02T04:22:49 L dvessey P 9a81396238530aac799fab3601257d697a2b32cd U dvessey W 1578
[dvessey-rtir|Request Tracker for Incident Response] | Not exactly NSM related, but close enough. Quick build guide. |
[dvessey-misc-bro|Misc Bro Notes] | |
[dvessey-bro-analysis-howto|Network Traffic Analysis with Bro] | Quick overview and howto using some customized scripts and customized version of bro |
Run series of PCAPs | PCAP file format: [http://wiki.wireshark.org/Development/LibpcapFileFormat]. Thought: might be able to skip the first 24 bytes of each PCAP file and concatenate together (something like what mergecap probably does) without killing RAM.
Yes, it does work, w/ fol cmd: Best way to use it is probably with a named pipe:
|
Tool | Brief note |
---|---|
[dvessey-netadhict|Carleton CSL NetADHICT] | |
SANCP | Has proven unreliable for large pcap file analysis. Messes up direction too often to provide good results. Bro connection logger may do better? |
[https://github.com/sethhall/bro_scripts|Bro Script - Seth Hall] | Just grabbed these into my directory |