[sapug] Python File Format library
Chris Foote
chris at inetd.com.au
Tue Oct 3 13:32:03 CEST 2006
On Tue, 3 Oct 2006, Michael Cohen wrote:
> On Tue, Oct 03, 2006 at 07:44:05PM +0930, nepBabu.cx wrote:
>> Good day Michael,
>> atm I am learning to use many of the tools such as tcpdump, ethereal, nc
>> and nmap myself to secure my box.
>> Basically, my question is, what's the advantage of pyflag over them and
>> what else can we accomplish more using pyflag other than investigating
>> large amount of logs ?
>
> nepBabu,
> PyFlag is a forensic utility for post incident analysis, not so much a secure
> your box type utility. The main page is at http://pyflag.sf.net/ which might
> give you more information about the pyflag tool itself.
>
> The File Format Library is a small part of the main project - because we need
> to read and interpret many different file types.
Very cool!
I was fortunate to attend a presentation from OSU[1] a few years ago
(at Lisa 2000) and they took libpcap extraction to a new level with
reassembling Quake traffic[2]:
Quake-replay
– Reads server to client traffic from a tcpdump log
– Massages it with view direction assumed from the client to
server traffic
– Constructs a demo recording that you can play
They obviously had way too much time on their hands :-)
[1] interesting real-life security incident
http://www3.net.ohio-state.edu/security/talks/2000/2000-12-07_incident-response_lisa/stuff_files/v3_document.htm
[2] http://www3.net.ohio-state.edu/security/talks/2000/2000-12-07_incident-response_lisa/stuff-text.pdf
--
Chris Foote <chris at inetd.com.au>
Inetd Pty Ltd T/A HostExpress
Web: http://www.hostexpress.com.au
Blog: http://www.hostexpress.com.au/drupal/chris
Phone: (08) 8410 4566
More information about the sapug
mailing list