[Discussion] Features

• Previous message (by thread): [Discussion] Features
• Next message (by thread): [Discussion] Features
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2008/10/17 John Ives <jives at security.berkeley.edu>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> To throw in my own loose thoughts...
>
> 9. The ability to pull files out of the stream in real-time.  e.g. If a
> user attempts to download a file named codec.exe pull a copy of that
> file from the tcp stream and send it to a AV/sandbox. If used with a
> sandbox it would mean that, in essence, each client on the network would
> become a sort of honeyclient, identifying malware during normal
> activity. (of course this is of particular interest to me since I am
> slowly building scripts to do something similar - though not in real
> time - using our existing IDS infrastructure and some of my own rules).

This would be very nice to have in rule syntax - I'm thinking of
something similar to a triggered tcpxtract.

"if we've seen alert X, then start capturing all executables that are
downloaded from a particular host."

cheers,
 Jamie

( tcpxtract allows you to define templates to recover things such as
exe files from a tcpdump file  - http://tcpxtract.sourceforge.net/ )
-- 
Jamie Riden / jamesr at europe.com / jamie at honeynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/

• Previous message (by thread): [Discussion] Features
• Next message (by thread): [Discussion] Features
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]