examining data portion of packet

examining data portion of packet

[Sandy C]

   I would like to be able to be able to examine the
data portion of a network packet after matching it. 

   I figured there would be some kind of target for
this, but there isn't...or at least I couldn't find
any.

   What is the best way to go about this? Should I be
thinking of writing a target extension?

Thanks!
S C


__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html

Re: examining data portion of packet

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 875 bytes --]

On Wed, 2004-03-24 at 07:45, Sandy C wrote:
>    I would like to be able to be able to examine the
> data portion of a network packet after matching it. 
> 
>    I figured there would be some kind of target for
> this, but there isn't...or at least I couldn't find
> any.
> 
>    What is the best way to go about this? Should I be
> thinking of writing a target extension?
> 
You could use something like ntop or tcpdump.

> Thanks!
> S C
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html
-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: examining data portion of packet

[Frederic de Villamil]

> On Wed, 2004-03-24 at 07:45, Sandy C wrote:
>>    I would like to be able to be able to examine the
>> data portion of a network packet after matching it.
>>
>>    I figured there would be some kind of target for
>> this, but there isn't...or at least I couldn't find
>> any.
>>
>>    What is the best way to go about this? Should I be
>> thinking of writing a target extension?
>>
> You could use something like ntop or tcpdump.
>
>> Thanks!
>> S C

Hi,
maybe you should try ethereal. It has some very powerfull filtering
functions that may fit your needs.

-- 
Frédéric de Villamil.
Président Epitanime
Amez vos ennemis; ce n'est pas facile, mais ca va les emmerder.
neuro@seclab.jp                             http://www.seclab.jp

Re: examining data portion of packet

[John A. Sullivan III]

On Wed, 2004-03-24 at 00:45, Sandy C wrote:
>    I would like to be able to be able to examine the
> data portion of a network packet after matching it. 
> 
>    I figured there would be some kind of target for
> this, but there isn't...or at least I couldn't find
> any.
> 
>    What is the best way to go about this? Should I be
> thinking of writing a target extension?
<snip>
It depends on what you want to do.  What do you want to do with the
information?
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: examining data portion of packet

[Sandy C]

I'd like to be able to examine the network data, and
if the data (not the header info) matches certain
criteria, I want to perform certain actions. Its not
clear to me what those actions might be yet.

S C 

--- "John A. Sullivan III"
<john.sullivan@nexusmgmt.com> wrote:
> On Wed, 2004-03-24 at 00:45, Sandy C wrote:
> >    I would like to be able to be able to examine
> the
> > data portion of a network packet after matching
> it. 
> > 
..
> >    What is the best way to go about this? Should I
> be
> > thinking of writing a target extension?
> <snip>
> It depends on what you want to do.  What do you want
> to do with the
> information?
> -- 
> John A. Sullivan III


__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html

Re: examining data portion of packet

[John A. Sullivan III]

Have you looked at Snort - http://www.snort.org
that will allow you to look for patterns in the application layer
payload - John

On Wed, 2004-03-24 at 12:22, Sandy C wrote:
> I'd like to be able to examine the network data, and
> if the data (not the header info) matches certain
> criteria, I want to perform certain actions. Its not
> clear to me what those actions might be yet.
> 
> S C 
> 
> --- "John A. Sullivan III"
> <john.sullivan@nexusmgmt.com> wrote:
> > On Wed, 2004-03-24 at 00:45, Sandy C wrote:
> > >    I would like to be able to be able to examine
> > the
> > > data portion of a network packet after matching
> > it. 
> > > 
> ..
> > >    What is the best way to go about this? Should I
> > be
> > > thinking of writing a target extension?
> > <snip>
> > It depends on what you want to do.  What do you want
> > to do with the
> > information?
> > -- 
> > John A. Sullivan III
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com

Re: examining data portion of packet

[Michael Rash]

On Mar 24, 2004, Sandy C wrote:

> I'd like to be able to examine the network data, and
> if the data (not the header info) matches certain
> criteria, I want to perform certain actions. Its not
> clear to me what those actions might be yet.

Sounds like you may be looking for an "active response" capability.
Here are three pieces of software that can react based on
application layer data:

snortsam:       http://www.snortsam.net/
fwsnort:        http://www.cipherdyne.org/fwsnort/
snort_inline:   http://snort-inline.sourceforge.net/

Deploying such functionality essentially give the capability to the
network of reconfiguring itself based on signatures that can easily
generate false positives!  You have been warned.

--Mike

Michael Rash
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F  AC69 95D8 5D6B A742 839F


> --- "John A. Sullivan III"
> <john.sullivan@nexusmgmt.com> wrote:
> > On Wed, 2004-03-24 at 00:45, Sandy C wrote:
> > >    I would like to be able to be able to examine
> > the
> > > data portion of a network packet after matching
> > it. 
> > > 
> ..
> > >    What is the best way to go about this? Should I
> > be
> > > thinking of writing a target extension?
> > <snip>
> > It depends on what you want to do.  What do you want
> > to do with the
> > information?
> > -- 
> > John A. Sullivan III
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html