Firewall Wizards mailing list archives
Re: Websense protocol Version 4?
From: Kevin <kkadow () gmail com>
Date: Wed, 9 Mar 2005 21:57:29 -0600
On Mon, 7 Mar 2005 10:42:14 -0500, Paul Melson <psmelson () comcast net> wrote:
Kevin Kadow wrote: I see from PIX and Websense documentation that the recommended configuration for URL filtering is to use the following PIX command: url-server host <IP-NUMBER> protocol UDP version 4 Websense and PIX can also be configured to use a TCP protocol. Are either of these protocols documented anywhere? I searched both Cisco and Websense, but did not see specifications for the communication protocol between the PIX and the filter engine.>Information on the Websense site shows that V4.x uses port 15868 for the"Filtering service", and 15871 for blocking messages, but does not document the protocol itself. The WebSense protocols are proprietary, and not publicly available (at least that I've seen). There also appear to be differences between the WebSense protocol used for PIX firewalls and the one used for Check Point firewalls (UFP). Port 15868 listens for the actual url-filter requests from the firewall and issues a response code based on matching. Port 15871 is something like an HTTP server and issues an alert that is inserted in-stream to the browser, letting the user know that WebSense has blocked the URL they've requested. PaulM
Thanks. We're making some progress on unpacking the Websense protocol on TCP/15686 from examination of sniffer traces. Much of the contents of a TCP request is obvious, (the URL, the client IP as four binary bytes, etc), but there are also several binary bytes which are static across requests and some fixed-length blocks of binary which change (checksum?) all of which the purpose is not immediately obvious. No signs of encryption. Once I get my new test PIX I'll try the UDP protocol and see if it is perhaps easier to interpret; right now I'm limited to sniffing real traffic. If nothing else, it'd be interesting to have an Ethereal plugin for Websense :) Kevin Kadow _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Websense protocol Version 4? Kevin (Mar 06)
- RE: Websense protocol Version 4? Paul Melson (Mar 09)
- Re: Websense protocol Version 4? Kevin (Mar 12)
- Re: Websense protocol Version 4? Kevin Sheldrake (Mar 24)
- Re: Websense protocol Version 4? Kevin (Mar 12)
- RE: Websense protocol Version 4? Paul Melson (Mar 09)