-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Jason,
- --On June 1, 2007 10:30:21 AM +1000 Jason <[EMAIL PROTECTED]> wrote:
| Hi all,
|
| I have a question about best practice in nfsen for creating a default
| rule to catch 'unclassifed traffic' in a channel group.
|
| At present, I create a bunch of rules to defined the major protocols
| like SMTP, HTTP, HTTPS etc.
|
| /nfsen --modify-channel George-link1/HTTP__in filter="IN IF 13 and
| port 80 and proto TCP" order=1 color="#3333FF"
| ./nfsen --modify-channel George-link1/HTTP_out filter="OUT IF 13 and
| port 80 and proto TCP" order=1 color="#3333FF"
|
| /nfsen --modify-channel George-link1/Other__in filter="IN IF 13 and
| (not port 80 and proto TCP) and (not port 443 and proto TCP) and ...."
| etc.
| ./nfsen --modify-channel George-link1/Other_out filter="OUT IF 13 and
| (not port 80 and proto TCP) and (not port 443 and proto TCP) and ...."
| etc.
|
| My problem is lay where I have 25 applications defined. The 'Other'
| rule gets rather long and tediuous to update. Not to mention probelms
| updating it through the CLI, so I edit it in the web GUI online with
| mutiple carriage returns)
|
| I am wondering if someone has a bit of code to update nfsen, or if
| there is a plugin module, that would basically say "channel: anything
| else not matching all other rules in this profile"
At the moment there is no module/plugin whatsoever doing this. You may
want to make a perl script which may compile a filter like "anything else"
by chaining all filters together and prepend it by "not".
|
| Lastly, there is a lot of computational and memory overhead with long
| filters in a 'serial', and + and + and + fashion. I did see in a
| mailgroup post somehting like:-
| port list [80,443,25,110] but I could not get it working.
| Has anyone got a working example of this ???
For IP addresses you may you the IPlists which are in place for nfdump
already: src ip in [ 1.2.3.4 2.3.4.5 4.5.6.7 ] and so on.
for ports, there is no such list but in any case you can specify a port
range such as dst port > 1024 and dst port < 1200.
- Peter
|
| Thanks very much.
|
| Jason
|
| -------------------------------------------------------------------------
| This SF.net email is sponsored by DB2 Express
| Download DB2 Express C - the FREE version of DB2 express and take
| control of your XML. No limits. Just data. Click to get it now.
| http://sourceforge.net/powerbar/db2/
| _______________________________________________
| Nfsen-discuss mailing list
| [email protected]
| https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
- --
_______ SWITCH - The Swiss Education and Research Network ______
Peter Haag, Security Engineer, Member of SWITCH CERT
PGP fingerprint: D9 31 D5 83 03 95 68 BA FB 84 CA 94 AB FC 5D D7
SWITCH, Limmatquai 138, CH-8001 Zurich, Switzerland
E-mail: [EMAIL PROTECTED] Web: http://www.switch.ch/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQCVAwUBRmUP2v5AbZRALNr/AQJSzwQAjEMqrG2QOWdAlbZ+Hn8Ekso6R3Wl5Hge
PHee5q3U6PGaGjYyb7TZBkFZfmC80by7l841xuSgi+5vw6WP3ILIGKlf2genZsH9
z2zaSijc411T/8ApYtyXl8piJn5K8vm6mrXpIs1zO1lU3yCFSODutcPbN/OoeGCN
DwWTTll+TG8=
=IAzl
-----END PGP SIGNATURE-----
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Nfsen-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
