Linux Today: Linux News On Internet Time.

More on LinuxToday

ONLamp: Filtering IDS Packets

Jun 21, 2004, 08:30 (0 Talkback[s])
(Other stories by Don Parker)

"Anyone who has worked with an intrusion detection system knows that it can produce an enormous amount of data. For many network security analysts this vast ocean of packets flagged for further inspection quickly becomes an unruly beast to tame. How then to tame the beast?

"The simplest and most efficient way to extract needed data from the ever-growing database logging these packets is to use a combination of Berkeley packet filters (bpf) and bitmask filters. Once you're familiar with their syntax and usage, filtering out specific data is easy. Instead of manually checking 200MB of packet data one packet at a time, you can tailor that down to the interesting 500KB. This represents enormous savings in time and trouble..."

Complete Story

Related Stories: