[Openpacket-mods] EmergingThreats VS OpenPacket
Brought to you by:
crazy_j,
taosecurity
Menu
▾
▴
[Openpacket-mods] EmergingThreats VS OpenPacket
|
From: CS L. <ge...@gm...> - 2008-04-24 12:37:45
|
<jonkman> morning <geek00l> per richard request, i will be coordinating between emergingthreats and openpacket <jonkman> cool! <geek00l> which means working together with you <geek00l> so what do you have in mind? <jonkman> sorry for you :) <geek00l> haha <jonkman> I'd like a way to share our pcaps from the sandnet <jonkman> but have to figure a way to: <jonkman> 1 document what's in each <jonkman> 2. sanitize them so my zombies/methods aren't shown <geek00l> yes, most probably <jonkman> have about 20k pcaps, some small, some hundreds of megs.... <geek00l> ah <geek00l> need semi auto way to do it <geek00l> first of all, the sanitizing is on header only or payloads too? <jonkman> ya... <jonkman> payloads primarily <jonkman> they're in private IP space <geek00l> dang <jonkman> but there are IP lookups that reveal real IPs, etc <geek00l> okay, the header doesn't matter now <jonkman> netbios names, <geek00l> yes <geek00l> and something like ftp also reveals thing <jonkman> we could just have an auto way to submit interesting ones... <jonkman> ya <geek00l> but you come to the point which it really hurts <geek00l> sanitizing payload is more challenging <jonkman> ya <geek00l> while not losing the point <jonkman> maybe we don't make it known where they're from... <jonkman> then it's not necessarily revealing... <geek00l> i think i have this discussion with chris lee before <geek00l> similar <geek00l> he want to share his pcap from his honeynet <jonkman> ya.. <geek00l> dns must be killed <geek00l> all host lookup shit must be killed <geek00l> 20K pcaps <geek00l> ouch <jonkman> Ya, I use dummy domains for the sandnet, don't want to reveal those <jonkman> best bet may be for me to jsut make a way for the analyst to hit a button to mark a pcap as interesting <geek00l> okay <jonkman> and needing to be considered for submitting <jonkman> then we can hand sanitize maybe... <geek00l> yes <geek00l> tagging would be good <geek00l> tag to be sanitized <jonkman> ya <geek00l> okay dude <jonkman> you'll see what I mean and what we have, maybe you'll have an idea <jonkman> will be back online this evening probably <geek00l> need to look at that <geek00l> thanks a lot <jonkman> ya, it's schweet :) <jonkman> later <geek00l> have fun <geek00l> !!!!! |
