Home > Uncategorized > Me thinks: is argus + ntop with nDPI + c5 sigma the way to go?

Me thinks: is argus + ntop with nDPI + c5 sigma the way to go?

This is the first post in a topic I’ll call “Me thinks,” which is similar to that of “Misguided Opinion,” being mostly editorial. In Me thinks I will be posting ideas that I have, even if they make no sense at all in the long run. So it’s like all gut, no thought, me thinks.

I’ve been working with argus for about two weeks. It’s quite great stuff, and I have been working on a way to optimally store, retrieve and display argus data so that it can be most useful for analysts. I had an idea that may or may not work, if argus is generating flows, and ntop is generating flows, and ntop can output what it thinks is happening (with nDPI), it would be quite useful to combine both, or simply just add what ntop has diagnosed the session to contain. This would be great!

Additionally, I just came across c5 sigma, which takes pcaps and processes them for import to an SQL DB. I also have yet to look into this, but it seems that it might be useful to combine argus + ntop w/ nDPI + c5 sigma and you would have your macro view + a drill down view.

In the world of security analysis of packet captures, even with the shallow dive I’ve had so far as for bridging the gap between packets and usefulness, it’s become quite clear that minimization is a big thing. I believe that ntop’s diagnosis of conversations could be used to trigger c5 sigma processing would only save important things.

Anyway, I’ve really just scratched the surface of argus, so I can’t speak for much else. But I hope to get to a point where I can correlate ntop with nDPI and make stuff useful.

Ahh… too bad. I spoke too soon. Call me elitest or whatnot, but C5 SIGMA is a set of binaries for Windows, so it doesn’t quite fit into the scheme of things. Also, it doesn’t appear to be able to enter records from live capture, but would be used to poll against a directory periodically.

So, until next time… Does it make sense to dump a network capture to sql?

  1. TimSk
    October 11, 2012 at 8:48 am

    You could save yourself a bunch of time and investigate Security Onion…

    • October 28, 2012 at 12:33 pm

      Thanks Tim.

      I’m going to work on creating my own probe system soon integrating some stuff. I’d rather do this than use a pre-packaged probe, because I like the idea of setting things up from the ground up. Good? Bad? Time consuming? Fun?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: