openpacket-devel Mailing List for OpenPacket Tools
Brought to you by:
crazy_j,
taosecurity
Menu
▾
▴
openpacket-devel — OpenPacket development list
This list is closed, nobody may subscribe to it.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(25) |
Aug
(29) |
Sep
(6) |
Oct
(4) |
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
(4) |
Feb
|
Mar
(8) |
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(3) |
Oct
(27) |
Nov
(3) |
Dec
(1) |
| 2008 |
Jan
(19) |
Feb
(16) |
Mar
(4) |
Apr
(8) |
May
(3) |
Jun
(15) |
Jul
(10) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2009 |
Jan
(5) |
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: JJ C. <cum...@gm...> - 2009-03-09 17:44:29
|
I would like to begin by thanking Richard for his time and dedication in getting this project off of the ground. There have been a number of changes in recent months, including the migration of the site onto new hardware to increase stability. There are a number of significant changes that are rapidly approaching that include some partnerships and significant site enhancements. This being said, please stay tuned for these upcoming developments and let us know how we are doing by participating in the forums and capture uploads. I would also like to welcome our latest moderator: Joel Esler. Cheers, JJC |
|
From: Christoph M. <ma...@tm...> - 2009-01-05 13:12:32
|
Hi OpenPacket Developers, my name is Christoph Mayer and I am the developer of the PktAnon network trace anonymization tool (www.tm.uka.de/pktanon). We have had already some discussion about PktAnon on this list mid last year. Now, I want to push this further and hope to start a discussion about the possibility to bring PktAnon into OpenPacket. I have some points that I want to throw in and hope that you kick in to the discussion on them: 1. Currently there is no standarized anonymization on OpenPacket or other trace archives. In my opinion there should be a standardized anonymization process. Therefore a defined set of anonymization profiles should be worked on that users can easily use. PktAnon, e.g., uses XML-based profiles that define how a trace is anonymized. Having community-standardized profiles (de-facto standards) of such profiles would in my opinion be a great benefit. Users (or the server-side) could anonymize using a default profile and the trace published with meta-information which profile was used. PktAnon currently contains three default profiles which we came up. What do you think of these profiles? Are they adequate? Is it in your opinion at all possible to define such a set of standard profiles for a system like OpenPacket? 2. How should a system for anonymization in OpenPacket look like? Should users anonymize the data, or the server system? What is adequate and safe for the user? What is adequate and safe for the server? 3. How can validation of a tool for anonymization look like? Code reviews, statistical tests on the anonymized traces? Should there be some kind of validation directly after the anonymization of the trace? I would be very happy to hear about your opinions! I think OpenPacket is the right way for a packet repository to work. Privacy issues are in my opinion the reason why there are still not many people submitting their traces. Having a standardized process here would help for sure! Best Regards, Chris -- Dipl.-Inform. Christoph P. Mayer Institute of Telematics, University of Karlsruhe (TH) Zirkel 2, 76128 Karlsruhe, Germany Phone: +49 721 608 6415, Email: ma...@tm... Web: http://www.tm.uka.de/~mayer/ |
|
From: Christoph M. <ma...@tm...> - 2008-07-14 15:18:33
|
Hi Matt, > Nice to meet you Christoph! Thanks, nice to meet you, too :) >> What to you mean with netbios addresses? There is currently no Netbios >> parser parser. > > I'm thinking encoded machine names and IPs that are in netbios > broadcasts, etc. Ok, currently there is no NBT parser. To write one there needs to be a new parser written (detailed in the manual) that understands the headers from RFC1002. Currently PktAnon understands no NBT, it would then interpret the data as pure payload. In the configuration there is a so called PayloadPacket that gets only one anonymization primitive assigned that will anonymize the complete payload data. > (BTW: have you an arp parser? Can it obfuscate macs as well?) There is an ARP parser in PktAnon. It is a design principle of PktAnon to allow anonymization of ALL fields of a protocol, not just what we think needs anonymization from our point of view. So you can anonymize MACS in ARP and also in Ethernet. For a complete list of currently supported protocols see the manual here: http://www.tm.uka.de/pktanon/documentation/manual/pdf/PktAnon_Manual.pdf >> The information from such sites lies in http and therefore layer 5. >> Writing a http parser for anonymization of http traffic is one thing, >> the other is the correlation of such information in the different >> layers. Currently PktAnon handles protocols on layers >= 5 as pure >> payload. Therefore the structure is not taken into account but rather >> one anonymization primitive applied to the complete payload. > > How about the ability to search payloads for certain strings, > user-defined (mine would be local IPs, machine names, etc)? Yes, this is an intuitive solution that would work. But is there maybe a better, automated way to do this? There has been some research on this. Best regards, Chris >> You have to be careful to reduce anonymization to IP addresses. There >> is much more sensitive information that can reveal e.g. what services >> you run on your network. So verification is an important point that >> affects the complete anonymization profile and not just IP addresses. > > I agree. I'm coming at this from the point of view that I have zombies > that run in a sandnet. They analyze malware and I'd like to share the > pcaps easily for research. But I can't risk the zombies being > fingerprinted. They'd be easily identifiable via MAC, IP, machine name, > public Ip ranges, etc. Those are the things I need to hide. > Thanks for the tool, sounds like nearly exactly what we need though! > > Matt > >> >> Best regards, >> Chris >> >>> Matt >>> >>> Richard Bejtlich wrote: >>>> ---------- Forwarded message ---------- >>>> From: Christoph P. Mayer <nor...@bl...> >>>> Date: Sun, Jul 13, 2008 at 2:23 PM >>>> Subject: [TaoSecurity] New comment on Packet Anonymization with >>>> PktAnon. >>>> To: tao...@gm... >>>> >>>> >>>> Christoph P. Mayer has left a new comment on your post "Packet >>>> Anonymization with PktAnon": >>>> >>>> Hi, >>>> >>>> we, the PktAnon developers, would be very happy to help getting >>>> PktAnon into OpenPacket.org! >>>> >>>> If there is an interest in this, we would like to kick off discussion >>>> about mainly three points: >>>> >>>> 1. What protocols need to be supported? PktAnon supports a wide range >>>> of standard protocol. But it needs extensions in higher layer >>>> protocols for layer >= 5. Due to the architecture new protocols are >>>> quite easy to add. >>>> >>>> 2. What additional anonymization primitives are needed and how can >>>> anonymized traces be verified? >>>> >>>> 3. Will we find a way to define community standardized anonymization >>>> profiles? From our point of view this requires cooperation from >>>> network engineers, researchers, and lawyers. There is still no >>>> consensus after quite some research done in this area about what >>>> anonymization is "right". Having the community in discussing about a >>>> standard set of anonymization profiles would be a huge step forward! >>>> Having standardized profiles also helps e.g. OpenPacket.org to mark >>>> traces in saying what profile has been used. >>>> >>>> I would be very happy if there is interest in discussing these points >>>> and getting the community further in sharing network traces. >>>> >>>> Best regards, >>>> Christoph P. Mayer >>>> >>>> >>>> >>>> Posted by Christoph P. Mayer to TaoSecurity at 2:23 PM >>>> >>>> ------------------------------------------------------------------------- >>>> >>>> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! >>>> Studies have shown that voting for your favorite open source project, >>>> along with a healthy diet, reduces your potential for chronic lameness >>>> and boredom. Vote Now at http://www.sourceforge.net/community/cca08 >>>> _______________________________________________ >>>> Openpacket-devel mailing list >>>> Ope...@li... >>>> https://lists.sourceforge.net/lists/listinfo/openpacket-devel >>> >> > -- Dipl.-Inform. Christoph P. Mayer Institute of Telematics, University of Karlsruhe (TH) Zirkel 2, 76128 Karlsruhe, Germany Phone: +49 721 608 6415, Email: ma...@tm... Web: http://www.tm.uka.de/~mayer/ |
|
From: Matt J. <jo...@jo...> - 2008-07-14 15:06:05
|
Nice to meet you Christoph! > What to you mean with netbios addresses? There is currently no Netbios > parser parser. I'm thinking encoded machine names and IPs that are in netbios broadcasts, etc. (BTW: have you an arp parser? Can it obfuscate macs as well?) > The information from such sites lies in http and therefore layer 5. > Writing a http parser for anonymization of http traffic is one thing, > the other is the correlation of such information in the different > layers. Currently PktAnon handles protocols on layers >= 5 as pure > payload. Therefore the structure is not taken into account but rather > one anonymization primitive applied to the complete payload. How about the ability to search payloads for certain strings, user-defined (mine would be local IPs, machine names, etc)? > You have to be careful to reduce anonymization to IP addresses. There is > much more sensitive information that can reveal e.g. what services you > run on your network. So verification is an important point that affects > the complete anonymization profile and not just IP addresses. I agree. I'm coming at this from the point of view that I have zombies that run in a sandnet. They analyze malware and I'd like to share the pcaps easily for research. But I can't risk the zombies being fingerprinted. They'd be easily identifiable via MAC, IP, machine name, public Ip ranges, etc. Those are the things I need to hide. Thanks for the tool, sounds like nearly exactly what we need though! Matt > > Best regards, > Chris > >> Matt >> >> Richard Bejtlich wrote: >>> ---------- Forwarded message ---------- >>> From: Christoph P. Mayer <nor...@bl...> >>> Date: Sun, Jul 13, 2008 at 2:23 PM >>> Subject: [TaoSecurity] New comment on Packet Anonymization with PktAnon. >>> To: tao...@gm... >>> >>> >>> Christoph P. Mayer has left a new comment on your post "Packet >>> Anonymization with PktAnon": >>> >>> Hi, >>> >>> we, the PktAnon developers, would be very happy to help getting >>> PktAnon into OpenPacket.org! >>> >>> If there is an interest in this, we would like to kick off discussion >>> about mainly three points: >>> >>> 1. What protocols need to be supported? PktAnon supports a wide range >>> of standard protocol. But it needs extensions in higher layer >>> protocols for layer >= 5. Due to the architecture new protocols are >>> quite easy to add. >>> >>> 2. What additional anonymization primitives are needed and how can >>> anonymized traces be verified? >>> >>> 3. Will we find a way to define community standardized anonymization >>> profiles? From our point of view this requires cooperation from >>> network engineers, researchers, and lawyers. There is still no >>> consensus after quite some research done in this area about what >>> anonymization is "right". Having the community in discussing about a >>> standard set of anonymization profiles would be a huge step forward! >>> Having standardized profiles also helps e.g. OpenPacket.org to mark >>> traces in saying what profile has been used. >>> >>> I would be very happy if there is interest in discussing these points >>> and getting the community further in sharing network traces. >>> >>> Best regards, >>> Christoph P. Mayer >>> >>> >>> >>> Posted by Christoph P. Mayer to TaoSecurity at 2:23 PM >>> >>> ------------------------------------------------------------------------- >>> >>> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! >>> Studies have shown that voting for your favorite open source project, >>> along with a healthy diet, reduces your potential for chronic lameness >>> and boredom. Vote Now at http://www.sourceforge.net/community/cca08 >>> _______________________________________________ >>> Openpacket-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/openpacket-devel >> > -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc |
|
From: Christoph M. <ma...@tm...> - 2008-07-14 15:05:23
|
> So this just occurred to me... consider the amount of parsing needed > to find some or all of that. Wait, we have a tool with protocol > dissectors -- Wireshark. Is there some way to combine a tool like > PktAnon with the dissectors of Wireshark? This is of course what came into my mind when writing the parsers from hand :) I raise the issue on the Wireshark-dev list in early 2007 and got a negative answer from Guy Harris: http://wireshark.digimirror.nl/lists/wireshark-dev/200702/msg00192.html Best regards, Chris -- Dipl.-Inform. Christoph P. Mayer Institute of Telematics, University of Karlsruhe (TH) Zirkel 2, 76128 Karlsruhe, Germany Phone: +49 721 608 6415, Email: ma...@tm... Web: http://www.tm.uka.de/~mayer/ |
|
From: Christoph M. <ma...@tm...> - 2008-07-14 15:00:10
|
Hi, > 1. Does this thing effectively handle netbios IP addresses? (Names not > so important) What to you mean with netbios addresses? There is currently no Netbios parser parser. > 2. How does it handle things like the user visiting showmyip.com? Can it > recognize and strip/replace that returned IP? The information from such sites lies in http and therefore layer 5. Writing a http parser for anonymization of http traffic is one thing, the other is the correlation of such information in the different layers. Currently PktAnon handles protocols on layers >= 5 as pure payload. Therefore the structure is not taken into account but rather one anonymization primitive applied to the complete payload. > As for how to verify, a hex-level search for the IP address and/or > machine name ought to be a good first step. Would need to verify that > there aren't any gzip'd posts that might contain info, etc. You have to be careful to reduce anonymization to IP addresses. There is much more sensitive information that can reveal e.g. what services you run on your network. So verification is an important point that affects the complete anonymization profile and not just IP addresses. Best regards, Chris > Matt > > Richard Bejtlich wrote: >> ---------- Forwarded message ---------- >> From: Christoph P. Mayer <nor...@bl...> >> Date: Sun, Jul 13, 2008 at 2:23 PM >> Subject: [TaoSecurity] New comment on Packet Anonymization with PktAnon. >> To: tao...@gm... >> >> >> Christoph P. Mayer has left a new comment on your post "Packet >> Anonymization with PktAnon": >> >> Hi, >> >> we, the PktAnon developers, would be very happy to help getting >> PktAnon into OpenPacket.org! >> >> If there is an interest in this, we would like to kick off discussion >> about mainly three points: >> >> 1. What protocols need to be supported? PktAnon supports a wide range >> of standard protocol. But it needs extensions in higher layer >> protocols for layer >= 5. Due to the architecture new protocols are >> quite easy to add. >> >> 2. What additional anonymization primitives are needed and how can >> anonymized traces be verified? >> >> 3. Will we find a way to define community standardized anonymization >> profiles? From our point of view this requires cooperation from >> network engineers, researchers, and lawyers. There is still no >> consensus after quite some research done in this area about what >> anonymization is "right". Having the community in discussing about a >> standard set of anonymization profiles would be a huge step forward! >> Having standardized profiles also helps e.g. OpenPacket.org to mark >> traces in saying what profile has been used. >> >> I would be very happy if there is interest in discussing these points >> and getting the community further in sharing network traces. >> >> Best regards, >> Christoph P. Mayer >> >> >> >> Posted by Christoph P. Mayer to TaoSecurity at 2:23 PM >> >> ------------------------------------------------------------------------- >> Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! >> Studies have shown that voting for your favorite open source project, >> along with a healthy diet, reduces your potential for chronic lameness >> and boredom. Vote Now at http://www.sourceforge.net/community/cca08 >> _______________________________________________ >> Openpacket-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openpacket-devel > -- Dipl.-Inform. Christoph P. Mayer Institute of Telematics, University of Karlsruhe (TH) Zirkel 2, 76128 Karlsruhe, Germany Phone: +49 721 608 6415, Email: ma...@tm... Web: http://www.tm.uka.de/~mayer/ |
|
From: Richard B. <tao...@gm...> - 2008-07-14 13:04:37
|
On Mon, Jul 14, 2008 at 8:26 AM, Matt Jonkman <jo...@jo...> wrote: > Wow, that's an interesting tool (says the guy with 40k pcaps he can't share > for privacy) > > few thoughts: > > 1. Does this thing effectively handle netbios IP addresses? (Names not so > important) > > 2. How does it handle things like the user visiting showmyip.com? Can it > recognize and strip/replace that returned IP? > > As for how to verify, a hex-level search for the IP address and/or machine > name ought to be a good first step. Would need to verify that there aren't > any gzip'd posts that might contain info, etc. > > Matt > So this just occurred to me... consider the amount of parsing needed to find some or all of that. Wait, we have a tool with protocol dissectors -- Wireshark. Is there some way to combine a tool like PktAnon with the dissectors of Wireshark? Richard |
|
From: Matt J. <jo...@jo...> - 2008-07-14 12:26:53
|
Wow, that's an interesting tool (says the guy with 40k pcaps he can't share for privacy) few thoughts: 1. Does this thing effectively handle netbios IP addresses? (Names not so important) 2. How does it handle things like the user visiting showmyip.com? Can it recognize and strip/replace that returned IP? As for how to verify, a hex-level search for the IP address and/or machine name ought to be a good first step. Would need to verify that there aren't any gzip'd posts that might contain info, etc. Matt Richard Bejtlich wrote: > ---------- Forwarded message ---------- > From: Christoph P. Mayer <nor...@bl...> > Date: Sun, Jul 13, 2008 at 2:23 PM > Subject: [TaoSecurity] New comment on Packet Anonymization with PktAnon. > To: tao...@gm... > > > Christoph P. Mayer has left a new comment on your post "Packet > Anonymization with PktAnon": > > Hi, > > we, the PktAnon developers, would be very happy to help getting > PktAnon into OpenPacket.org! > > If there is an interest in this, we would like to kick off discussion > about mainly three points: > > 1. What protocols need to be supported? PktAnon supports a wide range > of standard protocol. But it needs extensions in higher layer > protocols for layer >= 5. Due to the architecture new protocols are > quite easy to add. > > 2. What additional anonymization primitives are needed and how can > anonymized traces be verified? > > 3. Will we find a way to define community standardized anonymization > profiles? From our point of view this requires cooperation from > network engineers, researchers, and lawyers. There is still no > consensus after quite some research done in this area about what > anonymization is "right". Having the community in discussing about a > standard set of anonymization profiles would be a huge step forward! > Having standardized profiles also helps e.g. OpenPacket.org to mark > traces in saying what profile has been used. > > I would be very happy if there is interest in discussing these points > and getting the community further in sharing network traces. > > Best regards, > Christoph P. Mayer > > > > Posted by Christoph P. Mayer to TaoSecurity at 2:23 PM > > ------------------------------------------------------------------------- > Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! > Studies have shown that voting for your favorite open source project, > along with a healthy diet, reduces your potential for chronic lameness > and boredom. Vote Now at http://www.sourceforge.net/community/cca08 > _______________________________________________ > Openpacket-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openpacket-devel -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc |
|
From: Richard B. <tao...@gm...> - 2008-07-13 19:40:12
|
---------- Forwarded message ---------- From: Christoph P. Mayer <nor...@bl...> Date: Sun, Jul 13, 2008 at 2:23 PM Subject: [TaoSecurity] New comment on Packet Anonymization with PktAnon. To: tao...@gm... Christoph P. Mayer has left a new comment on your post "Packet Anonymization with PktAnon": Hi, we, the PktAnon developers, would be very happy to help getting PktAnon into OpenPacket.org! If there is an interest in this, we would like to kick off discussion about mainly three points: 1. What protocols need to be supported? PktAnon supports a wide range of standard protocol. But it needs extensions in higher layer protocols for layer >= 5. Due to the architecture new protocols are quite easy to add. 2. What additional anonymization primitives are needed and how can anonymized traces be verified? 3. Will we find a way to define community standardized anonymization profiles? From our point of view this requires cooperation from network engineers, researchers, and lawyers. There is still no consensus after quite some research done in this area about what anonymization is "right". Having the community in discussing about a standard set of anonymization profiles would be a huge step forward! Having standardized profiles also helps e.g. OpenPacket.org to mark traces in saying what profile has been used. I would be very happy if there is interest in discussing these points and getting the community further in sharing network traces. Best regards, Christoph P. Mayer Posted by Christoph P. Mayer to TaoSecurity at 2:23 PM |
|
From: Richard B. <tao...@gm...> - 2008-07-13 19:36:02
|
On Sat, Jul 12, 2008 at 6:52 AM, Jonathan Lassoff <jo...@th...> wrote: > Hey, just a quick heads up in regards to a bug I encountered trying to sign up at openpacket.org > > I tried to sign up with a 3-character username ("jof"), and the page threw an error for the Userid field. The copy says that the username must be between 3-12 characters, but only usernames with a length >3 work. > > Love the idea for the site! I hope to be digging through old notes and picking out some interesting traces to share. > > Cheers, > jonathan > Jonathan, Thanks for the bug report. I've cc'd our developer, Sharri. Sincerely, Richard |
|
From: CS L. <ge...@gm...> - 2008-07-01 04:00:48
|
Hi Aaron, Thanks for sharing! On Tue, Jul 1, 2008 at 11:52 AM, Aaron Turner <syn...@gm...> wrote: > I assume everyone else saw this, but just in case... > > > ---------- Forwarded message ---------- > From: Christoph Mayer <ma...@tm...> > Date: Sat, Jun 28, 2008 at 8:11 AM > Subject: [Tool] PktAnon packet trace anonymization tool released > To: bu...@se..., for...@se..., > foc...@se..., inc...@se..., > bet...@se... > > > I am glad to announce the release of PktAnon 1.2.0 - a tool for > profile-based network trace anonymization of pcap/tcpdump traces. > > PktAnon supports a large number of protocol and anonymization > primitives. All fields of a protocol can be addressed using PktAnon, > therefore making PktAnon highly flexible. The anonymization is > configured through XML profiles and allows arbitrary mappings of > network protocol fields to anonymization primitives. Anonymization of > live traffic is as well supported as interplay with other tools such > as e.g. tcpreplay for live replay of anonymized network traffic. > > PktAnon is available from http://www.tm.uka.de/pktanon > Feedback and cooperation is highly welcome! > > Please note that this is a development release and not yet in a final > state. Therefore care must be taken when releasing anonymized network > traces. > > Best regards, > Chris > -- > Dipl.-Inform. Christoph P. Mayer > Institute of Telematics, University of Karlsruhe (TH) > Zirkel 2, 76128 Karlsruhe, Germany > Phone: +49 721 608 6415, Email: ma...@tm... > Web: http://www.tm.uka.de/~mayer/ <http://www.tm.uka.de/%7Emayer/> > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it with real-world attacks from > CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > > > > -- > Aaron Turner > http://synfin.net/ > http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & > Windows > They that can give up essential liberty to obtain a little temporary > safety deserve neither liberty nor safety. -- Benjamin Franklin > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Openpacket-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openpacket-devel > -- Best Regards, CS Lee<geek00L[at]gmail.com> http://geek00l.blogspot.com |
|
From: Aaron T. <syn...@gm...> - 2008-07-01 03:52:30
|
I assume everyone else saw this, but just in case... ---------- Forwarded message ---------- From: Christoph Mayer <ma...@tm...> Date: Sat, Jun 28, 2008 at 8:11 AM Subject: [Tool] PktAnon packet trace anonymization tool released To: bu...@se..., for...@se..., foc...@se..., inc...@se..., bet...@se... I am glad to announce the release of PktAnon 1.2.0 - a tool for profile-based network trace anonymization of pcap/tcpdump traces. PktAnon supports a large number of protocol and anonymization primitives. All fields of a protocol can be addressed using PktAnon, therefore making PktAnon highly flexible. The anonymization is configured through XML profiles and allows arbitrary mappings of network protocol fields to anonymization primitives. Anonymization of live traffic is as well supported as interplay with other tools such as e.g. tcpreplay for live replay of anonymized network traffic. PktAnon is available from http://www.tm.uka.de/pktanon Feedback and cooperation is highly welcome! Please note that this is a development release and not yet in a final state. Therefore care must be taken when releasing anonymized network traces. Best regards, Chris -- Dipl.-Inform. Christoph P. Mayer Institute of Telematics, University of Karlsruhe (TH) Zirkel 2, 76128 Karlsruhe, Germany Phone: +49 721 608 6415, Email: ma...@tm... Web: http://www.tm.uka.de/~mayer/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ -- Aaron Turner http://synfin.net/ http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin |
|
From: Richard B. <tao...@gm...> - 2008-06-27 04:12:57
|
On Thu, Jun 26, 2008 at 5:14 PM, Gerald Combs <ge...@wi...> wrote: > Is there a preferred way to download OpenPacket captures en masse? I'd like to > add them to the collection we use for Wireshark's automated testing. > Hi Gerald, We don't have a way to do that now, but we're not necessarily against it. I think we may see more requests like this, but at present our infrastructure doesn't support it. At some point (probably in August, given my schedule now) we'll need to put together a roadmap for feature requests based on our experience the last few months. Thank you, Richard |
|
From: Gerald C. <ge...@wi...> - 2008-06-26 17:14:16
|
Is there a preferred way to download OpenPacket captures en masse? I'd like to add them to the collection we use for Wireshark's automated testing. |
|
From: Shyaam <sh...@gm...> - 2008-06-26 03:35:52
|
Hi David and other Mods, I have about 176 PCAPs currently to share. Also, I wanted to know if it is cool with you for me to list your pcap's too in exchange, and I will list it in a column that says PCAPs from OpenPackets.org.... I wouldn't be making 1 per day release though :(...It would be more of bulk releases... Next time I am anticipating more. There are 350 other PCAPs which I call as challenge PCAPs that are listed in the site for the users to find out why signatures have not been triggered or whats in the PCAP. These are the details so far. You can expect in about the same range in my next release too. Shyaam On Wed, Jun 25, 2008 at 4:06 PM, Richard Bejtlich <tao...@gm...> wrote: > On Wed, Jun 25, 2008 at 5:28 AM, Shyaam <sh...@gm...> wrote: > > Hello Sir, > > > > www.EvilFingers.com has finally released. I have about 176 exploit PCAPs > and > > about 300 challenge PCAPs. I would like to submit the PCAPs that I have > now > > and submit all future PCAPs to your OpenPackets.org site. You have always > > been my role model in the field of Intrusion Defense. Kindly, let me know > if > > it is cool with you and also let me know if I can help OpenPackets.org by > > any other means. I would also like to list OpenPackets.org in technology > > partners and would love to invite you to be a part of the advisory member > > for the site if that is fine with you. > > > > Thank you in advance for your time and consideration. > > Kind Regards, > > Shyaam Sundhar R.S. > > Profile: > > www.linkedin.com/in/intrusion > > Hi Shyaam, > > That is great -- thank you for contacting me. I'd like you to speak > with David Bianco, our OpenPacket.org moderator handling bulk > contributions. > > How often will you contribute pcaps in the future? 1 per day, 1 per week, > etc.? > > David (and other mods) any ideas how to process this many pcaps, and > how to proceed? > > Thank you, > > Richard > -- Thank you in advance for your time and consideration. Kind Regards, Shyaam Sundhar R.S. Certification History: Audit: GPCI Legal: GCDS Management: GLDR Security: SSP-CNSA, SSP-MPA, SSP-GHD, GREM, GHTQ, GWAS, GIPS, GCFA, GCIA Anti-Terrorism: CAS |
|
From: JJ C. <cum...@gm...> - 2008-06-25 16:22:01
|
We could put them on a shell or webdav location that he can write to to upload them then we just pull them down one by one.... would be easier than having him post each to op... unless Sharri can easily throw together a "bulk upload" type option.. Also, while we are all here ;-) What are our thoughts on publishing the code behind OP, it has been asked of me several times.. I am personally fine with it... in the spirit of OSS that the site is built around and we all live by :-P J Richard Bejtlich wrote: > On Wed, Jun 25, 2008 at 5:28 AM, Shyaam <sh...@gm...> wrote: > >> Hello Sir, >> >> www.EvilFingers.com has finally released. I have about 176 exploit PCAPs and >> about 300 challenge PCAPs. I would like to submit the PCAPs that I have now >> and submit all future PCAPs to your OpenPackets.org site. You have always >> been my role model in the field of Intrusion Defense. Kindly, let me know if >> it is cool with you and also let me know if I can help OpenPackets.org by >> any other means. I would also like to list OpenPackets.org in technology >> partners and would love to invite you to be a part of the advisory member >> for the site if that is fine with you. >> >> Thank you in advance for your time and consideration. >> Kind Regards, >> Shyaam Sundhar R.S. >> Profile: >> www.linkedin.com/in/intrusion >> > > Hi Shyaam, > > That is great -- thank you for contacting me. I'd like you to speak > with David Bianco, our OpenPacket.org moderator handling bulk > contributions. > > How often will you contribute pcaps in the future? 1 per day, 1 per week, etc.? > > David (and other mods) any ideas how to process this many pcaps, and > how to proceed? > > Thank you, > > Richard > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Openpacket-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openpacket-devel > |
|
From: Richard B. <tao...@gm...> - 2008-06-25 16:06:18
|
On Wed, Jun 25, 2008 at 5:28 AM, Shyaam <sh...@gm...> wrote: > Hello Sir, > > www.EvilFingers.com has finally released. I have about 176 exploit PCAPs and > about 300 challenge PCAPs. I would like to submit the PCAPs that I have now > and submit all future PCAPs to your OpenPackets.org site. You have always > been my role model in the field of Intrusion Defense. Kindly, let me know if > it is cool with you and also let me know if I can help OpenPackets.org by > any other means. I would also like to list OpenPackets.org in technology > partners and would love to invite you to be a part of the advisory member > for the site if that is fine with you. > > Thank you in advance for your time and consideration. > Kind Regards, > Shyaam Sundhar R.S. > Profile: > www.linkedin.com/in/intrusion Hi Shyaam, That is great -- thank you for contacting me. I'd like you to speak with David Bianco, our OpenPacket.org moderator handling bulk contributions. How often will you contribute pcaps in the future? 1 per day, 1 per week, etc.? David (and other mods) any ideas how to process this many pcaps, and how to proceed? Thank you, Richard |
|
From: David J. B. <da...@vo...> - 2008-06-06 16:49:51
|
Sharri Parsell wrote: >> Sharri, what do you think about making the site more torrent-friendly? > > sure thing. so in a nutshell, add a new category. Yeah. I'm not exactly sure what to call it, though. Maybe just "other" would be good. > >>> For something slightly more difficult, it'd be kinda nice to embed the >>> tracker stats for each torrent inside the OP interface. For example, >>> before you download the torrent, it could show you the current # of >>> seeds and peers. This is kind of standard on web sites that host torrents. > > i need these points explained in more detail. we're talking about > particular captures that are too large to say upload and store on OP > but instead just host the .torrent files? Exactly. In fact, not only are they often too large to host, they're often too large to download efficiently from a single site. So people use BitTorrent to download many pieces of the data from different sources simultaneously. Those different sources are actually just other BitTorrent users, so as you're downloading pieces, you're also uploading them to other downloaders, and you are what is known as a "peer". Users who have a complete copy of all the data in the torrent are known as "seeds". By having one or more seeds in the torrent, you guarantee that at least one copy of each piece of data is available, which is another way of saying that you're not wasting your time on a download which will never complete. So BitTorrent speed depends upon the number of peers and seeds which are participating in a given torrent, which is why it's useful to list those up front. No point downloading 15.999GB, only to find that the last piece you need to complete the download is not available because there are no seeds. You can see this in action if you go to a bittorrent tracker like ThePirateBay.org and search some torrents. They'll show you the relevant stats before you download the torrent, so you'll know what to expect. JJ can probably help you get this info from the tracker somehow, as it's his tracker. David |
|
From: Sharri P. <sh...@gm...> - 2008-06-06 16:17:22
|
> Sharri, what do you think about making the site more torrent-friendly? sure thing. so in a nutshell, add a new category. >> For something slightly more difficult, it'd be kinda nice to embed the >> tracker stats for each torrent inside the OP interface. For example, >> before you download the torrent, it could show you the current # of >> seeds and peers. This is kind of standard on web sites that host torrents. i need these points explained in more detail. we're talking about particular captures that are too large to say upload and store on OP but instead just host the .torrent files? |
|
From: Guillaume F. <gui...@or...> - 2008-06-06 00:00:19
|
I am also interested. I look forward to Your Answer, Best Regards, Guillaume FORTAINE "I have root @ Google" Richard Bejtlich wrote: > On Wed, May 21, 2008 at 2:29 PM, Aaron Turner <syn...@gm...> wrote: > >> Any plans to open up the source code available so other people can >> contribute patches? Maybe make the host SVN repo or whatever globally >> read-only? >> >> > > Hi Sharri, > > What do you think? > > Thank you, > > Richard > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Openpacket-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openpacket-devel > > > |
|
From: David J. B. <da...@vo...> - 2008-06-04 17:43:29
|
Yeah, sorry about that. They were correct on the tracker, but the copies of the torrent files I uploaded through OP were corrupt. I figured it all out, though, and corrected the bad files. Download new copies, and all should be well. Sorry about that. David Richard Bejtlich wrote: > On Tue, Jun 3, 2008 at 8:21 PM, Richard Bejtlich <tao...@gm...> wrote: >> On Mon, Jun 2, 2008 at 9:16 AM, David J. Bianco <da...@vo...> wrote: >>> I just uploaded some torrent files to OpenPacket. > > Hi David, > > I just tried > > https://www.openpacket.org/uploads/0000/0039/OpenPacket_Defcon12_Captures.torrent > > and it appears to be invalid. Would you mind checking them again? > > Someone in the Forum pointed this out. > > Thank you, > > Richard |
|
From: Leon W. <leo...@so...> - 2008-06-04 08:08:09
|
Hi. I Also have problems with these torrents. I have tried 11 and 12, both with the same result. lward@beetle:/var/tmp$ btdownloadcurses.bittornado ./ OpenPacket_Defcon12_Captures.torrent These errors occurred during execution: [09:04:09] warning: bad data in responsefile [09:04:09] got bad file info - bad bencoded data lward@beetle:/var/tmp$ -Leon On 4 Jun 2008, at 03:54, Richard Bejtlich wrote: > On Tue, Jun 3, 2008 at 8:21 PM, Richard Bejtlich <tao...@gm... > > wrote: >> On Mon, Jun 2, 2008 at 9:16 AM, David J. Bianco <da...@vo...> >> wrote: >>> I just uploaded some torrent files to OpenPacket. > > Hi David, > > I just tried > > https://www.openpacket.org/uploads/0000/0039/OpenPacket_Defcon12_Captures.torrent > > and it appears to be invalid. Would you mind checking them again? > > Someone in the Forum pointed this out. > > Thank you, > > Richard > > ------------------------------------------------------------------------- > Check out the new SourceForge.net Marketplace. > It's the best place to buy or sell services for > just about anything Open Source. > http://sourceforge.net/services/buy/index.php > _______________________________________________ > Openpacket-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openpacket-devel |
|
From: Richard B. <tao...@gm...> - 2008-06-04 02:54:46
|
On Tue, Jun 3, 2008 at 8:21 PM, Richard Bejtlich <tao...@gm...> wrote: > On Mon, Jun 2, 2008 at 9:16 AM, David J. Bianco <da...@vo...> wrote: >> I just uploaded some torrent files to OpenPacket. Hi David, I just tried https://www.openpacket.org/uploads/0000/0039/OpenPacket_Defcon12_Captures.torrent and it appears to be invalid. Would you mind checking them again? Someone in the Forum pointed this out. Thank you, Richard |
|
From: Richard B. <tao...@gm...> - 2008-06-04 00:23:09
|
On Wed, May 21, 2008 at 2:29 PM, Aaron Turner <syn...@gm...> wrote: > Any plans to open up the source code available so other people can > contribute patches? Maybe make the host SVN repo or whatever globally > read-only? > Hi Sharri, What do you think? Thank you, Richard |
|
From: Richard B. <tao...@gm...> - 2008-06-04 00:21:44
|
On Mon, Jun 2, 2008 at 9:16 AM, David J. Bianco <da...@vo...> wrote: > I just uploaded some torrent files to OpenPacket. One is the Shmoocon 2007 > torrent that has been up on the tracker for a while now. There are also > three new torrents for packet captures from Defcon 8, 9 and 11. The Defcon > 12 torrent is having a few issues, which I hope to have ironed out soon. > > I did these as torrents because the packet captures are very large. I > think the smallest is about 5GB. I uploaded them the same way I would > upload a PCAP file, and they're all tagged as "torrent". However, the > data contained in these captures doesn't really fall easily into the standard > "Normal/Suspicious/Malicious" category we use in OP. I would like to request > a new category, just for torrents. This should make it easier for people > who need to find large captures to use as a corpus of test data or something. > > For something slightly more difficult, it'd be kinda nice to embed the > tracker stats for each torrent inside the OP interface. For example, > before you download the torrent, it could show you the current # of > seeds and peers. This is kind of standard on web sites that host torrents. > > I think we're going to collect more and more large captures via bittorrent > in the future, so some basic support inside OP would be great. > > Oh, and please seed these! I'm the only one seeding the Defcon captures > right now. Looks like I might need a new HD just to store these on at > some point. > > David > David, great work. Sharri, what do you think about making the site more torrent-friendly? Thank you, Richard |
6 messages has been excluded from this view by a project administrator.
