TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- A new version of my paper on forensic packet analysis with RealSecure has just been posted to the RealSecure Tech Center on the ISS public web site. This is the same paper which was formerly titled "Using Network Monitor with RealSecure". It has been mentioned on this list before. WHAT THIS DOCUMENT CONTAINS --------------------------- The purpose of this document is to explain ways you can use a packet capture tool as a forensic or investigative tool in conjunction with RealSecure sensors. This can be a valuable technique when working with RealSecure sensors in production environments. Some of the purposes for which you can use these techniques include: * Investigating RealSecure sensor false positives. * Investigating other types of RealSecure sensor failures that are caused by network traffic. * Gathering forensic data in the investigation of an actual attack. * Gathering data for transmission to ISS in support of a bug report. WHAT IS NEW IN THIS VERSION --------------------------- Although the procedures in the document primarily focus on using Microsoft Network Monitor as your packet capturing tool, the document now contains instructions and scripts that allow you to use TCPDUMP or SNOOP as your capture tool on Unix systems. Of course, the procedures described are adaptable to just about any packet capture tool, particularly ones with a circular buffer and "trigger" capability. Additional notes on how to deal with issues relating to stealth mode sensors have been added, including on how to deal with this in Unix. Additional references to related material and documents were added (all hyperlinked). WHERE CAN YOU FIND IT --------------------- You can download the paper here: http://www.iss.net/customer_care/resource_center/realsecure_tech_center/tips _tricks/index.php The document is in Microsoft Word format inside a PKZIP file, which also contains three scripts that can be used to automate the packet capture tasks described in the document. You can download some associated utility programs mentioned in the paper here: http://www.iss.net/customer_care/resource_center/realsecure_tech_center/util ities/index.php These are Windows executables with instructions included in the PKZIP with them. There are also many other excellent RealSecure related resources on those pages, so they are definitely worth a spin by every so often. Comments welcome. ===================================== Tim Farley Senior Researcher Internet Security Systems [EMAIL PROTECTED] (404) 236-2600 http://www.iss.net Internet Security Systems - The Power to Protect =====================================
