Snort mailing list archives
Re: What tool? Fastest way to generate port info to build acl protection?
From: Richard Bejtlich <taosecurity () gmail com>
Date: Fri, 18 Nov 2005 21:03:07 -0500
Wayne Turnquist wrote:
Is there a app (prefer windows app if there is one) that can be ran in sniffer mode \ on my hubs that could generate all ports being used, port-ip, port-dest-ip, etc where \ i could then quickly come up with our business model traffic pattern to create a \ baseline acl security?
Hi Wayne, You'll need to do some hands-on analysis to generate your ACLs. It doesn't run on Windows, but Argus [0] can generate the session data you need. I call the type of analysis you need to perform a "Traffic Threat Assessment" (TTA). I usually do that sort of work to find malicious insiders (or malware), but the same principles apply when identifying legitimate traffic for creating ACLs. I outline TTA in my latest book, Extrusion Detection: Security Monitoring for Internal Intrusions. [1] You may also find my Structured Traffic Analysis (STA) methodology outlined in the October 2005 (IN)SECURE magazine to be helpful. [2] Both the book and article explain how to use Argus in the manner you may need. Sincerely, Richard [0] http://www.qosient.com/argus/ [1] http://www.awprofessional.com/title/0321349962 [2] http://www.insecuremag.com ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today Register for a JBoss Training Course. Free Certification Exam for All Training Attendees Through End of 2005. For more info visit: http://ads.osdn.com/?ad_idv28&alloc_id845&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- What tool? Fastest way to generate port info to build acl protection? Turnquist,Wayne (Nov 18)
- Re: What tool? Fastest way to generate port info to build acl protection? G Ramon Gomez (Nov 18)
- Re: What tool? Fastest way to generate port info to build acl protection? sekure (Nov 18)
- Re: What tool? Fastest way to generate port info to build acl protection? Jason Haar (Nov 18)
- RE: What tool? Fastest way to generate port info to build acl protection? Jim Hendrick (Nov 18)
- <Possible follow-ups>
- RE: What tool? Fastest way to generate port info to build acl protection? Briggs, Bruce (Nov 18)
- RE: What tool? Fastest way to generate port info to build acl protection? Bristol, Gary L. (Nov 18)
- Re: What tool? Fastest way to generate port info to build acl protection? Richard Bejtlich (Nov 18)