to store more capture related information.It extends the simple PCAP format features with more options like: How to add them to the PCAP itself? To achieve this, let’s have a look at the PCAP-ng format. If you export the data in PCAP format, you will lose your tags.
I’m a big fan of Moloch but, with this kind of tools, added tags are stored in the ElasticSearch database. Tags are helpful to assign some flows to a case being investigated or to categorize them (“suspicious”, “exfiltration”, “exploitation”, etc). Later, you can search for them to find back interesting traffic: Some tools, like Moloch, allow you to “tag” some conversations. Many security tools can record samples of network traffic or you can maybe need a full-packet capture. Just keep in mind: it must be properly performed if your notes will be used as evidence later… With investigations, there are also chances to you will have to deal with packet captures.
There is no “best” way to take notes, some people use electronic solutions while others are using good old paper and pencil. When you are investigating a security incident, a key element is to take notes and to document as much as possible.
0 kommentar(er)
