Re: What tool? Fastest way to generate port info to build acl protection?

[Richard Bejtlich <taosecurity () gmail com>]

Wayne Turnquist wrote:

> Is there a app (prefer windows app if there is one) that can be ran in sniffer mode \
> on my hubs that could generate all ports being used, port-ip, port-dest-ip, etc where \
> i could then quickly come up with our business model traffic pattern to create a \
> baseline acl security?

Hi Wayne,

You'll need to do some hands-on analysis to generate your ACLs.

It doesn't run on Windows, but Argus [0] can generate the session data
you need.

I call the type of analysis you need to perform a "Traffic Threat
Assessment" (TTA).  I usually do that sort of work to find malicious
insiders (or malware), but the same principles apply when identifying
legitimate traffic for creating ACLs.  I outline TTA in my latest
book, Extrusion Detection: Security Monitoring for Internal
Intrusions.  [1]

You may also find my Structured Traffic Analysis (STA) methodology
outlined in the October 2005 (IN)SECURE magazine to be helpful. [2]

Both the book and article explain how to use Argus in the manner you may need.

Sincerely,

Richard

[0] http://www.qosient.com/argus/
[1] http://www.awprofessional.com/title/0321349962
[2] http://www.insecuremag.com


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users