After setting up an incident response system based on @arcsight and @encase last week, I’ve been looking for new input sources for ArcSight ESM.Thanks to twitter, @rockyd suggested I should add NetWitness.

And that was the moment that I found the most impressive network forensics tool ever. It takes a radically new approach on raw traffic analysis by recomposing all the network sessions and presenting an array of nouns, verbs, adjectives related to the captured data.

Forget the pain to go trough the hex representation of packets or to manually correlate packets and sessions. Once the data file has been loaded you have full access to all attributes of the data captured, from layer 1 to layer 7.  And they mean it !

I’ve loaded a 20k packets capture previously recorded with tcpdump and I was absolutely blown away :

In 10 seconds I was able to reconstruct all kind of TCP sesssions , from dropped spam mail (displayed as formated email), to IM (shown as convesation)  and even twitter updates.  You can run reports on passwords, login names, URLs, login actions (failed / succesfull), etc, whatever criteria it crosses your mind… I’ve even checked some suspicious SNMP scans .

Overall, this is the coolest tool I’ve seen i a very long time . It’s like the Matrix scene when Neo gets to see the matrix itself, beyond the VR / agent Smith. . Netwitness Investigator gives you this ability to extract intelligence from raw network packets in a second.

I highly reccomend you to first watch 4 short introductory movies on NetWitness Youtube Channel because they reveal a lot of tips & tricks on how to use the GUI to get you where you want. 

NetWitness Investigator is available as a  free download but if you like this tool and you need advanced features like capturing and analyzing remote traffic, I highly reccomend to take a look at  NextGen, NetWitness’ enterprise network forensic solution.

• Are you using @MrTweet yet? He’s a free personal assistant who helps you discover people with your interests. http://mrtweet.com?v=16 #
• Curious about: “$100 weekly sweepstakes from BestSecurityTips.com” ( http://bit.ly/K7plw ) #
• @iboldizsar let me guess : check point & vmware in reply to iboldizsar #
• is taking a crash course in F5 Big-IP Local Traffic Manager and Application Security Manager …it hurts my brain #
• Reading: “The Web Application Firewall Experts | xiom.com” ( http://bit.ly/R4uEY ) #
• testing the latest ArcSight ESM 4.5 #

Powered by Twitter Tools.

• Just spent 2 very long days setting up an incident response demo using @arcsight ESM and @encase AIRS. Still not working properly #
• i have finally done it : @arcsight SIEM + @encase Information Assurance =One hell of an Incident Response Center #

Powered by Twitter Tools.

• Looking forward to: “GFI LANguard 9 Review – It’s about people, technology and processes -” ( http://tinyurl.com/ozapqt ) #
• RT @gfisoftware is giving away ten $20 amazon.com vouchers if you RT and follow. Competition closes in 7 HRS #
• Just posted: “ISACA e-Symposium – Web Application Security” (http://twitthis.com/6lyqy5) #
• @GFISoftware Thank you ! I hope your campaign was a success. in reply to GFISoftware #
• Reading: “U.S. Federal IT Spending Forecast 2010 – 2015 – $500 Billion ” ( http://tinyurl.com/m24yda ) #

Powered by Twitter Tools.