Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: firewall-wizards Digest, Vol 50, Issue 5

From: Bernie <zenbernie () gmail com>
Date: Mon, 21 Jun 2010 14:52:54 -0500
Personally I'd use wireshark Daniel. The ability to create file sets
would allow for a full 24 hrs of capture. The book just out on
Wireshark by Laura Chappell is a great resource.

On 6/21/10, firewall-wizards-request () listserv icsalabs com
<firewall-wizards-request () listserv icsalabs com> wrote:

Send firewall-wizards mailing list submissions to
      firewall-wizards () listserv icsalabs com

To subscribe or unsubscribe via the World Wide Web, visit
      https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
      firewall-wizards-request () listserv icsalabs com

You can reach the person managing the list at
      firewall-wizards-owner () listserv icsalabs com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

   1. Taking a traffic snapshot with network IDS (Yack, Daniel)


----------------------------------------------------------------------

Message: 1
Date: Fri, 18 Jun 2010 06:58:55 -0700
From: "Yack, Daniel" <dyack () aiminspections com>
Subject: [fw-wiz] Taking a traffic snapshot with network IDS
To: <firewall-wizards () listserv icsalabs com>
Message-ID:
      <409693ACD01C2146B96FFAA11F906E3A02A64593@EXBE02.itsgrp.local>
Content-Type: text/plain; charset="us-ascii"

There are probably one thousand ways to do this, but I wanted to toss
this out...



For simplicity, let's just say I'm watching traffic from an internet
router to my core router(s).  That's the only segment I'm interested in.
The goal is for me to discover out all 'normal' traffic in my
environment, and take a snapshot of that.  By snapshot, I mean gather
traffic for 24 hours.  Then review all of it manually, and create a
template that says "alert when you find something that isn't in this
list".



I realize this is a pretty simple problem - but getting back to basics
is always a good thing.  I do have some linux experience, but am not a
'power user'.  Any ideas on tools or what to use for this?  An IDS/IPS
is probably the answer here, right?  If so, which kind...perhaps snort?
I consider myself a firewall guy but am ashamed I've never used it!!



Oh...as far as hardware available:  Doing this is in a lab first, which
has:  Cisco for the internet router, going through Fortigate and/or
Checkpoint firewalls, into a Cisco core layer 3 switch.  Also I have a
few linux platforms but they're tasked for other things over there.
Don't over-analyze the network topology, I can always move or make more
than one IDS if needed.



Any ideas?  Perhaps someone has done this before?



-Dan

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20100618/d7e7d68d/attachment-0001.html>

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 50, Issue 5
***********************************************




-- 
A national political campaign is better than the best circus ever
heard of, with a mass baptism and a couple of hangings thrown in.
-H.L. Mencken
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: