Re: [fw-wiz] Websense protocol Version 4?
From: Kevin Sheldrake (kev_at_electriccat.co.uk)
Date: 03/14/05
- Previous message: Mark Teicher: "Re: [fw-wiz] Cisco acls"
- In reply to: Kevin: "Re: [fw-wiz] Websense protocol Version 4?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Kevin <kkadow@gmail.com>, firewall-wizards@honor.icsalabs.com Date: Mon, 14 Mar 2005 12:34:35 -0000
Hello
You might find the Protocol Informatics Project useful for protocol
fuzzing. Not used it myself, but the example using icmp looks right up
your street. http://insidiae.org/PI/
Kev
> On Mon, 7 Mar 2005 10:42:14 -0500, Paul Melson <psmelson@comcast.net>
> wrote:
>> > Kevin Kadow wrote:
>> > I see from PIX and Websense documentation that the recommended
>> > configuration for URL filtering is to use the following PIX command:
>> > url-server host <IP-NUMBER> protocol UDP version 4
>> >
>> > Websense and PIX can also be configured to use a TCP protocol.
>> >
>> > Are either of these protocols documented anywhere?
>> > I searched both Cisco and Websense, but did not see specifications
>> for the
>> > communication protocol between the PIX and the filter engine.
>> >
>> > Information on the Websense site shows that V4.x uses port 15868 for
>> the
>> "Filtering service", and 15871 for blocking messages, but does not
>> document
>> the protocol itself.
>>
>> The WebSense protocols are proprietary, and not publicly available (at
>> least
>> that I've seen). There also appear to be differences between the
>> WebSense
>> protocol used for PIX firewalls and the one used for Check Point
>> firewalls
>> (UFP).
>>
>> Port 15868 listens for the actual url-filter requests from the firewall
>> and
>> issues a response code based on matching. Port 15871 is something like
>> an
>> HTTP server and issues an alert that is inserted in-stream to the
>> browser,
>> letting the user know that WebSense has blocked the URL they've
>> requested.
>>
>> PaulM
>
> Thanks.
>
> We're making some progress on unpacking the Websense protocol
> on TCP/15686 from examination of sniffer traces. Much of the contents
> of a TCP request is obvious, (the URL, the client IP as four binary
> bytes, etc),
> but there are also several binary bytes which are static across requests
> and
> some fixed-length blocks of binary which change (checksum?) all of which
> the
> purpose is not immediately obvious. No signs of encryption.
>
> Once I get my new test PIX I'll try the UDP protocol and see if it is
> perhaps
> easier to interpret; right now I'm limited to sniffing real traffic.
>
> If nothing else, it'd be interesting to have an Ethereal plugin for
> Websense :)
>
>
> Kevin Kadow
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Cheltenham) Ltd _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Mark Teicher: "Re: [fw-wiz] Cisco acls"
- In reply to: Kevin: "Re: [fw-wiz] Websense protocol Version 4?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
