Me thinks: is argus + ntop with nDPI + c5 sigma the way to go?
This is the first post in a topic I’ll call “Me thinks,” which is similar to that of “Misguided Opinion,” being mostly editorial. In Me thinks I will be posting ideas that I have, even if they make no sense at all in the long run. So it’s like all gut, no thought, me thinks.
I’ve been working with argus for about two weeks. It’s quite great stuff, and I have been working on a way to optimally store, retrieve and display argus data so that it can be most useful for analysts. I had an idea that may or may not work, if argus is generating flows, and ntop is generating flows, and ntop can output what it thinks is happening (with nDPI), it would be quite useful to combine both, or simply just add what ntop has diagnosed the session to contain. This would be great!
Additionally, I just came across c5 sigma, which takes pcaps and processes them for import to an SQL DB. I also have yet to look into this, but it seems that it might be useful to combine argus + ntop w/ nDPI + c5 sigma and you would have your macro view + a drill down view.
In the world of security analysis of packet captures, even with the shallow dive I’ve had so far as for bridging the gap between packets and usefulness, it’s become quite clear that minimization is a big thing. I believe that ntop’s diagnosis of conversations could be used to trigger c5 sigma processing would only save important things.
Anyway, I’ve really just scratched the surface of argus, so I can’t speak for much else. But I hope to get to a point where I can correlate ntop with nDPI and make stuff useful.
Ahh… too bad. I spoke too soon. Call me elitest or whatnot, but C5 SIGMA is a set of binaries for Windows, so it doesn’t quite fit into the scheme of things. Also, it doesn’t appear to be able to enter records from live capture, but would be used to poll against a directory periodically.
So, until next time… Does it make sense to dump a network capture to sql?