[Snort-users] Automated File Carving?

Tim Covel tcovel at ...15149...
Wed Aug 8 15:19:39 EDT 2012


We've recently released a modified version of the ntop (GPL) which 
includes a file carving system designed to work with snort.

We've put together some screenshots of it here:
http://metaflows.tumblr.com/post/28491256039/file-extraction-malware
http://metaflows.tumblr.com/post/28128365399/quick-investigation-of-a-bothunter-alert-on-an

If you'd like more information on how to get and run it, let us know.

On 08/08/2012 11:13 AM, Jefferson, Shawn wrote:
> Hi,
> Not specifically Snort related, but I thought this might be a good 
> place to ask first.
> I have Snort IDS sensors, with full packet capture (OpenFPC), and 
> Stream capture (StreamDB), and one-click access to these via 
> customized BASE.  One extra thing I find myself wanting is automated 
> file carving... sometimes I want to see the actual file downloaded (be 
> it a PDF, or executable).  I would prefer to have a one-click access 
> to this, so I was wondering if there is anything that automatically 
> will carve files out and store them for easy retrieval?  BroIDS maybe?
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120808/0c2e347e/attachment.html>


More information about the Snort-users mailing list