Firewall Wizards mailing list archives
Re: firewall-wizards Digest, Vol 50, Issue 5
From: Bernie <zenbernie () gmail com>
Date: Mon, 21 Jun 2010 14:52:54 -0500
Personally I'd use wireshark Daniel. The ability to create file sets would allow for a full 24 hrs of capture. The book just out on Wireshark by Laura Chappell is a great resource. On 6/21/10, firewall-wizards-request () listserv icsalabs com <firewall-wizards-request () listserv icsalabs com> wrote:
Send firewall-wizards mailing list submissions to firewall-wizards () listserv icsalabs com To subscribe or unsubscribe via the World Wide Web, visit https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards or, via email, send a message with subject or body 'help' to firewall-wizards-request () listserv icsalabs com You can reach the person managing the list at firewall-wizards-owner () listserv icsalabs com When replying, please edit your Subject line so it is more specific than "Re: Contents of firewall-wizards digest..." Today's Topics: 1. Taking a traffic snapshot with network IDS (Yack, Daniel) ---------------------------------------------------------------------- Message: 1 Date: Fri, 18 Jun 2010 06:58:55 -0700 From: "Yack, Daniel" <dyack () aiminspections com> Subject: [fw-wiz] Taking a traffic snapshot with network IDS To: <firewall-wizards () listserv icsalabs com> Message-ID: <409693ACD01C2146B96FFAA11F906E3A02A64593@EXBE02.itsgrp.local> Content-Type: text/plain; charset="us-ascii" There are probably one thousand ways to do this, but I wanted to toss this out... For simplicity, let's just say I'm watching traffic from an internet router to my core router(s). That's the only segment I'm interested in. The goal is for me to discover out all 'normal' traffic in my environment, and take a snapshot of that. By snapshot, I mean gather traffic for 24 hours. Then review all of it manually, and create a template that says "alert when you find something that isn't in this list". I realize this is a pretty simple problem - but getting back to basics is always a good thing. I do have some linux experience, but am not a 'power user'. Any ideas on tools or what to use for this? An IDS/IPS is probably the answer here, right? If so, which kind...perhaps snort? I consider myself a firewall guy but am ashamed I've never used it!! Oh...as far as hardware available: Doing this is in a lab first, which has: Cisco for the internet router, going through Fortigate and/or Checkpoint firewalls, into a Cisco core layer 3 switch. Also I have a few linux platforms but they're tasked for other things over there. Don't over-analyze the network topology, I can always move or make more than one IDS if needed. Any ideas? Perhaps someone has done this before? -Dan -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20100618/d7e7d68d/attachment-0001.html> ------------------------------ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards End of firewall-wizards Digest, Vol 50, Issue 5 ***********************************************
-- A national political campaign is better than the best circus ever heard of, with a mass baptism and a couple of hangings thrown in. -H.L. Mencken _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: firewall-wizards Digest, Vol 50, Issue 5 Bernie (Jun 21)