[prev in list] [next in list] [prev in thread] [next in thread]
List: security-onion
Subject: Re: [security-onion] Easiest way to not packet-capture for sensitive port?
From: Doug Burks <doug.burks () gmail ! com>
Date: 2015-08-25 11:21:04
Message-ID: CAK8kjrCMs5=whWqftgw_8ExKqzQvffoRFJXEsV9ymE-Vktpjdw () mail ! gmail ! com
[Download RAW message or body]
On Mon, Aug 24, 2015 at 10:02 PM, jumbo jim <jumbojim22@gmail.com> wrote:
>
> Hello,
>
> I would like to packet-capture the internal NIC of a HTTP proxy server. This proxy \
> server faces end-users (SSL). The server proxies requests to other internal servers \
> on various ports.
> In a worse case scenario (exfiltration), all traffic would need to leave over port \
> 443 as that is all the firewall permits to the outside world. I will likely also \
> packet-capture the SSL (even though it is encrypted), as I will be able to monitor \
> overall traffic to outside IPs.
> Main question - there is a specific internal port on a specific server - which I do \
> not want to capture, as it is sensitive.
> Can BPF be used here? Basically I do not want packets to be written to disk (for a \
> specific internal server+port destination).
Hi Jim,
Yes, you can use BPF here. Have you seen the BPF page on our Wiki?
https://github.com/Security-Onion-Solutions/security-onion/wiki/BPF
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
--
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic