1

Anyone have experience in a solution to manage in an integrated view this functionality ? - network forensic - SIEM - intelligence analysis and investigation

Like Niksun or Solera solution do ?

I'm talking about a SIEM and record solution of a entire network with intelligence investigation features, this tool of course can also be used sometimes for lawful interception in an ISP for example.

I found on the web some network solution from niksun or websense or for example on Solera.

I'm searching a solution to: - record traffic from 1 day to 36 month and have it on a accessible storage for analysys - features to make post analysis of the content from layer 4 to layer 7 (ip view but also content view of common protocol, chat communication, mail communication and any related traffic ). - alerting features triggered on rule based about traffic. example i can made an alert on detecting of a common word in a communication on a subset of the traffic (example only mail or chat traffic from a specific ip address) - Must have high bandwidth support, protocol identification at every layer, statistic reports and a common way to navigate the data.

What i'm asking for is not for a list of tool when an incident become but about solution to record all the traffic and to analyze all the traffic to identify data leak, misconfiguration and no-policy related utilization of the network.

anyone have experience on its solution and can share information and talk about it ?

AviD
  • 72,138
  • 22
  • 136
  • 218
boos
  • 1,066
  • 2
  • 10
  • 21
  • i havent enough reputation to add some tag to the question, i want tag this question with lawful-interception and also with deep-packet-inspection tags. – boos Jan 16 '11 at 08:39
  • You should check out Solera Networks http://www.soleranetworks.com/ – Tate Hansen Jan 16 '11 at 08:47
  • @Tate Hansen: do you have any experience with it ? can yoy say more on it ? why you havent answer at the question ? thanks – boos Jan 16 '11 at 08:48
  • Well then I'm glad you dont have the rep yet :). In general, tags are not keywords. They are categories, and should serve to group similar questions together. – AviD Jan 16 '11 at 08:53
  • @boos, I'm not clear what you mean by your edit. Could it be you mean something more like a logging solution, or SIEM? If you make this question different from the other one, feel free to flag it for mod's attention to reopen... – AviD Jan 16 '11 at 09:36
  • @Avid: yes, in the market as far i know the is only 2 solution like what i'm asking, the solution is like SIEM and logging application, in this solution you can have common SIEM feature with also the advantage to analyze old data, and also to make deep packet inspection and make alert from the content or from a set of network activity at layer 7 like, a people send a mail with this pattern and also open a chat with msn with people X. this solution is a mixture of SIEM, logging and intelligence investigation solution. – boos Jan 16 '11 at 09:52
  • @boos - I don't have direct experience with Solera Networks (only hearsay accounts) – Tate Hansen Jan 16 '11 at 10:04
  • @boos If so thats not forensics, that's SIEM... – AviD Jan 16 '11 at 10:08
  • Was going to ask you to edit the question with that in mind, but I see you already did :). Reopened for now, let's see where this goes... – AviD Jan 16 '11 at 10:10
  • In any event, these questions would be relevant: http://security.stackexchange.com/q/1149/33 and http://security.stackexchange.com/q/720/33 – AviD Jan 16 '11 at 10:11
  • @Avid: thanks, log manager collect important data about the session, not the data itself, anyway, great thanks for the reopen. I Suppose there isn't not so much interest in this kind network forensic tool, as i say, as far i know, only Niksun develop this kind of device, i dont know how exactly is the name of this solution, take a look here http://www.niksun.com/product.php?id=4 with all the product of the series you can have a all-in-one products – boos Jan 16 '11 at 13:15

2 Answers2

2

Have you looked at NetWitness? Also, check out some of the posts and books from TaoSecurity on the topic of network security monitoring. There you'll find some methods that use open source technologies, but of course they'll require more work on your part.

Eugene Kogan
  • 281
  • 2
  • 4
0

Have a look at this question - it does mention a few tools that can do exactly what you want, from wireshark, which would need some scripting to wrap it up into what you are after to Argus and others.

Community
  • 1
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • 2
    My question is not the same of the other one. I dont want a list of tool to use on an incident response, i want a solution to record all my data to identify after for example 6 month a data leak or to make assessment about protocol and traffic evidence for example 6 month ago in an enterprise solution. use wireshark to manage alert about 10Gb of traffic is not possible for example. – boos Jan 16 '11 at 09:33