[prev in list] [next in list] [prev in thread] [next in thread] 

List:       security-onion
Subject:    Re: [security-onion] Easiest way to not packet-capture for sensitive port?
From:       Doug Burks <doug.burks () gmail ! com>
Date:       2015-08-25 11:21:04
Message-ID: CAK8kjrCMs5=whWqftgw_8ExKqzQvffoRFJXEsV9ymE-Vktpjdw () mail ! gmail ! com
[Download RAW message or body]

On Mon, Aug 24, 2015 at 10:02 PM, jumbo jim <jumbojim22@gmail.com> wrote:
> 
> Hello,
> 
> I would like to packet-capture the internal NIC of a HTTP proxy server. This proxy \
> server faces end-users (SSL). The server proxies requests to other internal servers \
> on various ports. 
> In a worse case scenario (exfiltration), all traffic would need to leave over port \
> 443 as that is all the firewall permits to the outside world. I will likely also \
> packet-capture the SSL (even though it is encrypted), as I will be able to monitor \
> overall traffic to outside IPs. 
> Main question - there is a specific internal port on a specific server - which I do \
> not want to capture, as it is sensitive. 
> Can BPF be used here? Basically I do not want packets to be written to disk (for a \
> specific internal server+port destination).

Hi Jim,

Yes, you can use BPF here.  Have you seen the BPF page on our Wiki?
https://github.com/Security-Onion-Solutions/security-onion/wiki/BPF


-- 
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

-- 
You received this message because you are subscribed to the Google Groups \
"security-onion" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to security-onion+unsubscribe@googlegroups.com. To post to this \
group, send email to security-onion@googlegroups.com. Visit this group at \
http://groups.google.com/group/security-onion. For more options, visit \
https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]