After setting up an incident response system based on @arcsight and @encase last week, I’ve been looking for new input sources for ArcSight ESM.Thanks to twitter, @rockyd suggested I should add NetWitness.
And that was the moment that I found the most impressive network forensics tool ever. It takes a radically new approach on raw traffic analysis by recomposing all the network sessions and presenting an array of nouns, verbs, adjectives related to the captured data.
Forget the pain to go trough the hex representation of packets or to manually correlate packets and sessions. Once the data file has been loaded you have full access to all attributes of the data captured, from layer 1 to layer 7. And they mean it !
I’ve loaded a 20k packets capture previously recorded with tcpdump and I was absolutely blown away :
In 10 seconds I was able to reconstruct all kind of TCP sesssions , from dropped spam mail (displayed as formated email), to IM (shown as convesation) and even twitter updates. You can run reports on passwords, login names, URLs, login actions (failed / succesfull), etc, whatever criteria it crosses your mind… I’ve even checked some suspicious SNMP scans .
Overall, this is the coolest tool I’ve seen i a very long time . It’s like the Matrix scene when Neo gets to see the matrix itself, beyond the VR / agent Smith. 🙂 . Netwitness Investigator gives you this ability to extract intelligence from raw network packets in a second.
I highly reccomend you to first watch 4 short introductory movies on NetWitness Youtube Channel because they reveal a lot of tips & tricks on how to use the GUI to get you where you want.
NetWitness Investigator is available as a free download but if you like this tool and you need advanced features like capturing and analyzing remote traffic, I highly reccomend to take a look at NextGen, NetWitness’ enterprise network forensic solution.
Thank you for reading this post. You can now Read Comments (5) or Leave A Trackback. Print This Post
Post InfoThis entry was posted on Wednesday, June 24th, 2009 . Tagged with:
Previous Post: Twitter Weekly Updates for 2009-06-14 »
Next Post: Twitter Weekly Updates for 2009-06-28 »
Read MoreRelated Reading:
- How to Protect Your Business Network from Phishing Attacks
- Animated Presentation on Sony PSN Hack
- ArcSight Tip #1 – arcsight managersetup notification test
- I’m a CISSP
- Operation:Payback or Social Vendetta is Here
- I got owned by Malware Destructor 2011 Virus
- New Downtime Cost Calculator by Storagepipe.com. What if ?
- Securing Your Network from Web Threats
- My Twitter Notes on 2010-07-25
- New NetWitness Visualize : Welcome To The Future!