ONLamp: Filtering IDS Packets
Jun 21, 2004, 08:30 (0 Talkback[s])
(Other stories by Don Parker)
"Anyone who has worked with an intrusion detection system knows
that it can produce an enormous amount of data. For many network
security analysts this vast ocean of packets flagged for further
inspection quickly becomes an unruly beast to tame. How then to
tame the beast?
"The simplest and most efficient way to extract needed data from
the ever-growing database logging these packets is to use a
combination of Berkeley packet filters (bpf) and bitmask filters.
Once you're familiar with their syntax and usage, filtering out
specific data is easy. Instead of manually checking 200MB of packet
data one packet at a time, you can tailor that down to the
interesting 500KB. This represents enormous savings in time and