Search This Blog

Tuesday, June 22, 2010

firewall-wizards Digest, Vol 50, Issue 6

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Taking a traffic snapshot with network IDS (Farrukh Haroon)
2. Re: Taking a traffic snapshot with network IDS (Marcus J. Ranum)
3. Re: firewall-wizards Digest, Vol 50, Issue 5 (Bernie)
4. Re: Taking a traffic snapshot with network IDS (vern@ee.lbl.gov)


----------------------------------------------------------------------

Message: 1
Date: Mon, 21 Jun 2010 16:51:39 +0300
From: Farrukh Haroon <farrukhharoon@gmail.com>
Subject: Re: [fw-wiz] Taking a traffic snapshot with network IDS
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<AANLkTikyqWtHqnEGEWTz42jXUQ0S1cDK11qP6Ds1FJaO@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"

Instead of capturing each packet, you would be better off going via the
Netflow Path IMHO.

There are a number of free netflow analyzers available on the Internet e.g.:

http://www.plixer.com/products/netflow-sflow/free-netflow-scrutinizer.php
http://www.solarwinds.com/products/freetools/netflow_analyzer.aspx
http://www.paessler.com/ ( I think they offer one netflow sensor in the free
version)

Regards

Farrukh

On Fri, Jun 18, 2010 at 4:58 PM, Yack, Daniel <dyack@aiminspections.com>wrote:

> There are probably one thousand ways to do this, but I wanted to toss
> this out?
>
>
>
> For simplicity, let?s just say I?m watching traffic from an internet router
> to my core router(s). That?s the only segment I?m interested in. The goal
> is for me to discover out all ?normal? traffic in my environment, and take a
> snapshot of that. By snapshot, I mean gather traffic for 24 hours. Then
> review all of it manually, and create a template that says ?alert when you
> find something that isn?t in this list?.
>
>
>
> I realize this is a pretty simple problem ? but getting back to basics is
> always a good thing. I do have some linux experience, but am not a ?power
> user?. Any ideas on tools or what to use for this? An IDS/IPS is probably
> the answer here, right? If so, which kind?perhaps snort? I consider
> myself a firewall guy but am ashamed I?ve never used it!!
>
>
>
> Oh?as far as hardware available: Doing this is in a lab first, which has:
> Cisco for the internet router, going through Fortigate and/or Checkpoint
> firewalls, into a Cisco core layer 3 switch. Also I have a few linux
> platforms but they?re tasked for other things over there. Don?t
> over-analyze the network topology, I can always move or make more than one
> IDS if needed.
>
>
>
> Any ideas? Perhaps someone has done this before?
>
>
>
> -Dan
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20100621/87570f60/attachment-0001.html>

------------------------------

Message: 2
Date: Mon, 21 Jun 2010 09:38:38 -0400
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] Taking a traffic snapshot with network IDS
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4C1F6B5E.6020300@ranum.com>
Content-Type: text/plain; charset=windows-1252; format=flowed

Yack, Daniel wrote:
> I realize this is a pretty simple problem ? but getting back to basics
> is always a good thing. I do have some linux experience, but am not a
> ?power user?. Any ideas on tools or what to use for this? An IDS/IPS
> is probably the answer here, right?

I think you might want to look at things like argus, urlsniff, and
wireshark for your data-gathering, if data is what you're
after. What an IDS does is gives you its notion of what it saw,
based on its rules (i.e.: the preconceptions of whoever wrote the
IDS' rule-base) If you're trying to do discovery, you want the
undigested raw data, or something closer to it.

That said, an IDS can be turned into one heck of a nice data-gathering
device if it's programmed to collect and report on events rather than
to look specifically for intrusions. I.e.: a DNS logging signature
set, URL logging signatures, DHCP logging, connectivity tracking,
usage statistics, etc. There might be some snort signature-sets out
there for logging and collection and those would be a good place to
start.

mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com

------------------------------

Message: 3
Date: Mon, 21 Jun 2010 14:52:54 -0500
From: Bernie <zenbernie@gmail.com>
Subject: Re: [fw-wiz] firewall-wizards Digest, Vol 50, Issue 5
To: firewall-wizards@listserv.icsalabs.com
Message-ID:
<AANLkTin8TnZiNmTf7m_Wx3tTcW68vRiVxjqPP-B2JSOb@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

Personally I'd use wireshark Daniel. The ability to create file sets
would allow for a full 24 hrs of capture. The book just out on
Wireshark by Laura Chappell is a great resource.

On 6/21/10, firewall-wizards-request@listserv.icsalabs.com
<firewall-wizards-request@listserv.icsalabs.com> wrote:
> Send firewall-wizards mailing list submissions to
> firewall-wizards@listserv.icsalabs.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> or, via email, send a message with subject or body 'help' to
> firewall-wizards-request@listserv.icsalabs.com
>
> You can reach the person managing the list at
> firewall-wizards-owner@listserv.icsalabs.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of firewall-wizards digest..."
>
>
> Today's Topics:
>
> 1. Taking a traffic snapshot with network IDS (Yack, Daniel)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 18 Jun 2010 06:58:55 -0700
> From: "Yack, Daniel" <dyack@aiminspections.com>
> Subject: [fw-wiz] Taking a traffic snapshot with network IDS
> To: <firewall-wizards@listserv.icsalabs.com>
> Message-ID:
> <409693ACD01C2146B96FFAA11F906E3A02A64593@EXBE02.itsgrp.local>
> Content-Type: text/plain; charset="us-ascii"
>
> There are probably one thousand ways to do this, but I wanted to toss
> this out...
>
>
>
> For simplicity, let's just say I'm watching traffic from an internet
> router to my core router(s). That's the only segment I'm interested in.
> The goal is for me to discover out all 'normal' traffic in my
> environment, and take a snapshot of that. By snapshot, I mean gather
> traffic for 24 hours. Then review all of it manually, and create a
> template that says "alert when you find something that isn't in this
> list".
>
>
>
> I realize this is a pretty simple problem - but getting back to basics
> is always a good thing. I do have some linux experience, but am not a
> 'power user'. Any ideas on tools or what to use for this? An IDS/IPS
> is probably the answer here, right? If so, which kind...perhaps snort?
> I consider myself a firewall guy but am ashamed I've never used it!!
>
>
>
> Oh...as far as hardware available: Doing this is in a lab first, which
> has: Cisco for the internet router, going through Fortigate and/or
> Checkpoint firewalls, into a Cisco core layer 3 switch. Also I have a
> few linux platforms but they're tasked for other things over there.
> Don't over-analyze the network topology, I can always move or make more
> than one IDS if needed.
>
>
>
> Any ideas? Perhaps someone has done this before?
>
>
>
> -Dan
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20100618/d7e7d68d/attachment-0001.html>
>
> ------------------------------
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> End of firewall-wizards Digest, Vol 50, Issue 5
> ***********************************************
>


--
A national political campaign is better than the best circus ever
heard of, with a mass baptism and a couple of hangings thrown in.
-H.L. Mencken


------------------------------

Message: 4
Date: Mon, 21 Jun 2010 20:02:02 -0700
From: vern@ee.lbl.gov
Subject: Re: [fw-wiz] Taking a traffic snapshot with network IDS
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <201006220302.o5M322XW024418@pork.ICSI.Berkeley.EDU>

> That said, an IDS can be turned into one heck of a nice data-gathering
> device if it's programmed to collect and report on events rather than
> to look specifically for intrusions. I.e.: a DNS logging signature
> set, URL logging signatures, DHCP logging, connectivity tracking,
> usage statistics, etc.

You might want to check out Bro in this regard, which IMHO excels at this
sort of information gathering/logging. www.bro-ids.org

Vern


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 50, Issue 6
***********************************************

No comments: