Re: [fw-wiz] Traffic Monitoring

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 05/07/03

Next message: Sutantyo, Danny: "RE: [fw-wiz] Re: PIX FW Failover & Hello Packet"

Previous message: Kyle R. Hofmann: "Re: [fw-wiz] Firewall performance testing (Was: Re: Evaluating Firewall)"
In reply to: Zahid Ahmad Khan: "[fw-wiz] Traffic Monitoring"
Next in thread: Jesse Lep: "Re: [fw-wiz] Traffic Monitoring"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@nfr.com
Date: Thu, 8 May 2003 01:31:27 +0530

On 06/05/03 09:54 +0500, Zahid Ahmad Khan wrote:
> Hi,
>
> A research organization has asked me to look at an interesting
> situation. They are paranoid about pilferage of research work and want
> to monitor and log all email traffic (Vectors and contents of POP, SMTP
> & IMAP). They require the following:
>
> 1) Log all in and out bound emails (All employees have been duly
> informed of the fact).
> 2) Generate email vector logs.
> 3) Flag and stop any email with unauthorized contents.
> 4) Only interested in traffic on the WAN and Internet interface (E-1,
> E-3, OC-3, POS)
> 5) Do not want to log or see any internal traffic which might be contain
> sensitive R&D info.
>
> I was thinking of putting together a system using pcap for capturing
> traffic and using/developing an analysis reporting engine. Due to the
Too complex. Work on the protocol level here.
Most mail servers will let you make an automatic bcc transparently.
(always_bcc = add@ress with Postfix).

Your mail may be in any format, text, HTML, base64 encoded, obfuscated
HTML, uuencoded, pgp|gpg|s/mime encrypted.
Your parser will have to deal with this. Except for the encrypted part,
I would suggest using amavis/amavisd-new to handle this. The MIME
handling in amavisd is good. This only leaves you to modify it to
identify banned words, and quarantine/redirect those messages.

The only modification I can think of is a modification of the banned
filename routine to see the banned words/phrases in body of the email
itself. You might wish to modify the SpamAssassin plugin keywords to
suit the requirements of this client so that a simple word match that
may occur in normal usage should not be quarantined, but a sufficiently
high number of matches triggers a quarantine.

I hope this helps a bit.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Next message: Sutantyo, Danny: "RE: [fw-wiz] Re: PIX FW Failover & Hello Packet"

Previous message: Kyle R. Hofmann: "Re: [fw-wiz] Firewall performance testing (Was: Re: Evaluating Firewall)"
In reply to: Zahid Ahmad Khan: "[fw-wiz] Traffic Monitoring"
Next in thread: Jesse Lep: "Re: [fw-wiz] Traffic Monitoring"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]