full post event analysis
In response to a previous thread for backtracking the path of a virus.
If you want to track something to its source, you have to have a powerful tool that will allow post event analysis.
We use a tool by a company called Niksun (NetDetector). This is a Sniffer like tool (promiscuous analyzer) only with up to ¾ Terabyte capture files. It also has very powerful string search and session reconstruction abilities.
All that you have to do is a string search for the virus signature and it will go back and show you every machine the signature has gone to or from.
This tool is actually designed to catch malicious users hackers etc, and reconstruct there sessions. However, it has many uses such as backtracking viruses, identifying infected machines and doing full post event analysis on pretty much anything.
I work for the UK distributor of this tool.
Hmmm... all this guy seems to do is "advertise" for this sniffer-like-tool... I think it says something that no one's ever seemed to better Network General's original Sniffer, myself. And, as far as IDS, well I have my own opinions there, having worked with a whole load of really crappy ones and one or two really outstanding contributions (my favorite being one "done" by one of the people thought of as one of the original "fathers" of the network/corporate firewall... cookies to the first person to name him/them... LOL)