Re: Packet Payload

From: xelerated (xelerated@gmail.com)
Date: Tue Aug 29 2006 - 15:23:07 EDT


That could work in some situations, but the problem is putting it in
the right spot to catch
the traffic. its a milti layer firewall network, But there are IDS's,
i know they can log the payloads, so just depending on which segment i
want, i pick that IDS to watch.

On 8/29/06, Clemens, Dan <Dan.Clemens@healthsouth.com> wrote:
> What about straight up tcpdump?
> BTW, you won't fall into any legal mumbo shumbo performing analysis on
> traffic.
>
> -Daniel Clemens
>
>
> -----Original Message-----
> From: Hirsch, Adam [mailto:Adam.Hirsch@dresdnerkleinwort.com]
> Sent: Tuesday, August 29, 2006 12:53 PM
> To: xelerated
> Cc: pen-test@securityfocus.com
> Subject: RE: Packet Payload
>
>
> Oops, I gave the wrong name of the vendor that sells that traffic
> anomaly products (with Layer 7 inspection). Correct company is Mazu
> Networks not Reconnex.
>
> Adam
>
>
> On 8/29/06, Hirsch, Adam <Adam.Hirsch@dresdnerkleinwort.com> wrote:
> > What you seem to be looking for already exists. A traffic anomaly
> > analyzer that is able to inspect traffic up to Layer 7. Check out a
> > product called Reconnex. This may do what you are looking for..
> >
> > You may run in to confidentiality and privacy issues if you start
> > capturing actual packet payloads. You may want to talk to your legal
> > and HR departments before doing this.
> >
> > -Adam
> >
> >
> >
> > -----Original Message-----
> > From: xelerated [mailto:xelerated@gmail.com]
> > Sent: Tuesday, August 29, 2006 9:32 AM
> > To: pen-test@securityfocus.com
> > Subject: Packet Payload
> >
> > Im posrting this to the pen-test group, rather than firewall or IDS
> > because it covers many areas.
> >
> > Id like to see what the pro's think about capturing and storing packet
>
> > payloads from firewalls, ids, etc... everything rather than just
> > loggin the incidents.
> >
> > Im trying to explain to my management how useful the payloads could be
>
> > if we were ever to really need them, say from a forensics point of
> view.
> > To give another example, one time I was seeing lots of firewall drops,
>
> > I could tell what ports, src and dest. but no packet data. To everyone
>
> > involved it looked like a worm trying to spread.
> > Well in the end it wasnt, infact is was something that was nice to
> > know about, but it was not hostile traffic. But if I had been able to
> > see the payloads i could have seen the data request and known from the
>
> > start what it was, or was not.
> >
> > What would be really great, is a whitepaper covering this, or enough
> > info/facts that I could throw one together.
> >
> > thanks!
> > Chris
> >
> > C|EH, CISSP
> >
> > ----------------------------------------------------------------------
> > --
> > This List Sponsored by: Cenzic
> >
> > Need to secure your web apps?
> > Cenzic Hailstorm finds vulnerabilities fast.
> > Click the link to buy it, try it or download Hailstorm for FREE.
> > http://www.cenzic.com/products_services/download_hailstorm.php
> > ----------------------------------------------------------------------
> > --
> >
> >
> > If you have received this e-mail in error or wish to read our e-mail
> disclaimer statement and monitoring policy, please refer to
> http://www.dresdnerkleinwort.com/disc/email/ or contact the sender.
> >
> >
>
>
> If you have received this e-mail in error or wish to read our e-mail
> disclaimer statement and monitoring policy, please refer to
> http://www.dresdnerkleinwort.com/disc/email/ or contact the sender.
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------
>
>
> -----------------------------------------
> Confidentiality Notice: This e-mail communication and any
> attachments may contain confidential and privileged information for
> the use of the designated recipients named above. If you are not
> the intended recipient, you are hereby notified that you have
> received this communication in error and that any review,
> disclosure, dissemination, distribution or copying of it or its
> contents is prohibited. If you have received this communication in
> error, please notify me immediately by replying to this message and
> deleting it from your computer. Thank you.
>
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:52 EDT