Penetration Testing mailing list archives
Re: Packet Payload
From: griffkc () gmail com
Date: Thu, 31 Aug 2006 09:02:28 +0000
I've actually put a pilot like this together. My thoghts - don't bother. What ever you gain from the very few times you will actually need it will be completely overshadowed by the amount of care and feeding it will take to keep it going. You're going to need a heck of a lot more than 1TB of storage for one month. I ran on a gig segment at 30 percent saturation. I filled a TB every other day. And let's not forget it's not just about storage, but retrieval and analysis also. Sent via BlackBerry from T-Mobile -----Original Message----- From: "Robert D. Holtz - Lists" <robert.d.holtz () gmail com> Date: Wed, 30 Aug 2006 10:35:35 To:"'Security'" <security () hudakville com> Cc:<pen-test () securityfocus com> Subject: RE: Packet Payload If a person is dead set on capturing all of the data going in and out of a given network you could put together a system for this relatively cheaply. One could have an AMD Athlon system, 1TB of drive space, a couple of GB of RAM, and running a *nix variant for around $1,000.00USD or so. This system could keep up with fair amount of traffic pretty easily (< OC3) and has enough storage for months of traffic. -----Original Message----- From: Security [mailto:security () hudakville com] Sent: Wednesday, August 30, 2006 9:34 AM Cc: pen-test () securityfocus com Subject: Re: Packet Payload Like all the other posters have stated, its a good resource to have forensically if you have the disk space. I few years ago I set up a Shadow IDS (http://www.nswc.navy.mil/ISSEC/CID/) and tcpdump on my external network to capture traffic. I used some creative filtering and custom scripts and was able to keep about two months of full traffic captures to around 40 GB compressed. This was on 2 T-3 (not fully utilized of course). In my filtering, I believe I captured full packets of everything except HTTP/HTTPS/SMTP traffic. For that, I just captured the SYN and SYN/ACK packet. This cuts down on what you want to do, but saves alot of space. Tyler xelerated wrote:
Im posrting this to the pen-test group, rather than firewall or IDS because it covers many areas. ...
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- RE: Packet Payload, (continued)
- RE: Packet Payload Remad (Aug 29)
- Re: Packet Payload xelerated (Aug 29)
- RE: Packet Payload Remad (Aug 29)
- Re: Packet Payload xelerated (Aug 29)
- Re: Packet Payload Peter Van Epp (Aug 29)
- RE: Packet Payload Clemens, Dan (Aug 29)
- RE: Packet Payload Javier Romero (Aug 29)
- Message not available
- Message not available
- Re: Packet Payload Mike Klingler (Aug 30)
- Message not available
- RE: Packet Payload Remad (Aug 29)
- Re: Packet Payload David J. Bianco (Aug 30)
- Re: Packet Payload Security (Aug 30)
- RE: Packet Payload Robert D. Holtz - Lists (Aug 30)
- Re: Packet Payload griffkc (Aug 31)
- RE: Packet Payload Robert D. Holtz - Lists (Aug 30)
- Re: Packet Payload Ariel Waissbein (Aug 30)
- Re: Packet Payload xelerated (Aug 30)
- RE: Packet Payload Hirsch, Adam (Aug 29)
- RE: Packet Payload Clemens, Dan (Aug 29)
- Re: Packet Payload xelerated (Aug 29)
- Re: Packet Payload Joey Peloquin (Aug 30)
- RE: Packet Payload Clemens, Dan (Aug 29)