Inspect and interpret SMB messages

Unanswered Question
Mar 19th, 2010

Hi

I am replying to an invitation to tender from a customer. They requir a product that will be able to do deep packet inspection and extract SMB events realting to shares and files that are moved or deleted. They also want it to support directory services if possible so that it can report by username !


Oh and it needs to be able to do it at a full 10Gb and store historical data for a year.

I can't think of anything that can do this kind of thing. Sure whith a packet capture you could pick out the SMB messages but storing 10Gb/s would involve thousands of terrabytes of storegae for a years worth of data.

Any ideas on something that can do at least part of this. I was thinking about some kind of Netflow analyser.

Thanks

Pat

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
yjdabear Fri, 03/19/2010 - 14:56

Personally, "deep packet inspection" and "10 Gb" bring this appliance solution to mind:

http://www.netscout.com/docs/datasheets/NetScout_ds_nGenius_InfiniStream.pdf

"Broad Storage Capabilities
Configured in a variety of rack-mounted chassis options, storage
capabilities range from 500 GB to 16 TB. Chassis options vary
from 1RU appliances to larger systems.

Interfaces and Speeds
More than two dozen models are available to accommodate
deployments across the modern IP network. Monitoring speeds

range from 10base-T, to Fast Ethernet, to high-speed 10-GbE
interfaces. Port densities are available in 2-Port, 4-Port, and
8-Port capture configurations."

So it doesn't have anywhere near the storage for a full year's worth of data, but then 16TB is the most built-in storage on any network monitoring appliance I've heard of (and apparently the price tag to match). It's also unclear whether it meets some of the other requirements, but I suppose the vendor's professional services might be able to cater to those if the customer has the budget to support those requirements.

OTOH, as you've pointed out, NetFlow is not deep-packet inspecting, but if that's "good enough" for the purpose, there's at least one hardware-based NetFlow solution capable of scaling up to 10G, http://www.invea-tech.com/products/flowmon, courtsey of this old thread: https://supportforums.cisco.com/message/653987#653987

Actions

This Discussion