Re: Packet Payload

From: griffkc@gmail.com
Date: Thu Aug 31 2006 - 05:02:28 EDT

• Next message: Jason L. Ellison: "Re[2]: locate windows workstation if you know the username"
• Previous message: jackal_pf0@lycos.com: "Core Impact Vs Manual Pen Test"
• In reply to: Robert D. Holtz - Lists: "RE: Packet Payload"
• Next in thread: Ariel Waissbein: "Re: Packet Payload"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I've actually put a pilot like this together. My thoghts - don't bother. What ever you gain from the very few times you will actually need it will be completely overshadowed by the amount of care and feeding it will take to keep it going. You're going to need a heck of a lot more than 1TB of storage for one month. I ran on a gig segment at 30 percent saturation. I filled a TB every other day. And let's not forget it's not just about storage, but retrieval and analysis also.
Sent via BlackBerry from T-Mobile

-----Original Message-----
From: "Robert D. Holtz - Lists" <robert.d.holtz@gmail.com>
Date: Wed, 30 Aug 2006 10:35:35
To:"'Security'" <security@hudakville.com>
Cc:<pen-test@securityfocus.com>
Subject: RE: Packet Payload

If a person is dead set on capturing all of the data going in and out of a
given network you could put together a system for this relatively cheaply.

One could have an AMD Athlon system, 1TB of drive space, a couple of GB of
RAM, and running a *nix variant for around $1,000.00USD or so. This system
could keep up with fair amount of traffic pretty easily (< OC3) and has
enough storage for months of traffic.

-----Original Message-----
From: Security [mailto:security@hudakville.com]
Sent: Wednesday, August 30, 2006 9:34 AM
Cc: pen-test@securityfocus.com
Subject: Re: Packet Payload

Like all the other posters have stated, its a good resource to have
forensically if you have the disk space. I few years ago I set up a
Shadow IDS (http://www.nswc.navy.mil/ISSEC/CID/) and tcpdump on my
external network to capture traffic. I used some creative filtering and
custom scripts and was able to keep about two months of full traffic
captures to around 40 GB compressed. This was on 2 T-3 (not fully
utilized of course).

In my filtering, I believe I captured full packets of everything except
HTTP/HTTPS/SMTP traffic. For that, I just captured the SYN and SYN/ACK
packet. This cuts down on what you want to do, but saves alot of space.

Tyler

xelerated wrote:
> Im posrting this to the pen-test group, rather than firewall or IDS
> because it covers many areas.
>
> ...

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: Jason L. Ellison: "Re[2]: locate windows workstation if you know the username"
• Previous message: jackal_pf0@lycos.com: "Core Impact Vs Manual Pen Test"
• In reply to: Robert D. Holtz - Lists: "RE: Packet Payload"
• Next in thread: Ariel Waissbein: "Re: Packet Payload"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:52 EDT