[Discussion] Features
Jamie Riden
jamie.riden at gmail.com
Fri Oct 17 08:13:17 UTC 2008
2008/10/17 John Ives <jives at security.berkeley.edu>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> To throw in my own loose thoughts...
>
> 9. The ability to pull files out of the stream in real-time. e.g. If a
> user attempts to download a file named codec.exe pull a copy of that
> file from the tcp stream and send it to a AV/sandbox. If used with a
> sandbox it would mean that, in essence, each client on the network would
> become a sort of honeyclient, identifying malware during normal
> activity. (of course this is of particular interest to me since I am
> slowly building scripts to do something similar - though not in real
> time - using our existing IDS infrastructure and some of my own rules).
This would be very nice to have in rule syntax - I'm thinking of
something similar to a triggered tcpxtract.
"if we've seen alert X, then start capturing all executables that are
downloaded from a particular host."
cheers,
Jamie
( tcpxtract allows you to define templates to recover things such as
exe files from a tcpdump file - http://tcpxtract.sourceforge.net/ )
--
Jamie Riden / jamesr at europe.com / jamie at honeynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/
More information about the Discussion
mailing list