From: Mike Klingler (whitehatguru@gmail.com)
Date: Wed Aug 30 2006 - 09:30:00 EDT
I agree that capturing packet data can be truly useful in determining what
is occuring on a network. However, most of the data that a full time packet
data capture would be useless. I would suggest that you implement a system
which would allow you to easily specify which packets that you want to
capture the data from and allow access to observe the content. That would
forgo the SAN requirement and still allow you to get the access to the
datathat you need.
The one disadvantage to not having a constantly running packet data capture
would be the inability to review the packet content of packets that you
weren't expecting. That is probaly where the juciest data is. That being
said a system could be put together whereby only packet data not on a
whitelist is captured. That would allow you to systematically eliminate
known chatty services or servers that produce a ton of useless data (IPsec,
DNS, NTP for example) that would limit the ammount of data while still
preserving the unexpected data content.
-- Michael Klingler, CISSP SecurityMetrics Penetration Tester ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:52 EDT