Re: [fw-wiz] Websense protocol Version 4?
From: Kevin Sheldrake (kev_at_electriccat.co.uk)
To: Kevin <email@example.com>, firstname.lastname@example.org Date: Mon, 14 Mar 2005 12:34:35 -0000
You might find the Protocol Informatics Project useful for protocol
fuzzing. Not used it myself, but the example using icmp looks right up
your street. http://insidiae.org/PI/
> On Mon, 7 Mar 2005 10:42:14 -0500, Paul Melson <email@example.com>
>> > Kevin Kadow wrote:
>> > I see from PIX and Websense documentation that the recommended
>> > configuration for URL filtering is to use the following PIX command:
>> > url-server host <IP-NUMBER> protocol UDP version 4
>> > Websense and PIX can also be configured to use a TCP protocol.
>> > Are either of these protocols documented anywhere?
>> > I searched both Cisco and Websense, but did not see specifications
>> for the
>> > communication protocol between the PIX and the filter engine.
>> > Information on the Websense site shows that V4.x uses port 15868 for
>> "Filtering service", and 15871 for blocking messages, but does not
>> the protocol itself.
>> The WebSense protocols are proprietary, and not publicly available (at
>> that I've seen). There also appear to be differences between the
>> protocol used for PIX firewalls and the one used for Check Point
>> Port 15868 listens for the actual url-filter requests from the firewall
>> issues a response code based on matching. Port 15871 is something like
>> HTTP server and issues an alert that is inserted in-stream to the
>> letting the user know that WebSense has blocked the URL they've
> We're making some progress on unpacking the Websense protocol
> on TCP/15686 from examination of sniffer traces. Much of the contents
> of a TCP request is obvious, (the URL, the client IP as four binary
> bytes, etc),
> but there are also several binary bytes which are static across requests
> some fixed-length blocks of binary which change (checksum?) all of which
> purpose is not immediately obvious. No signs of encryption.
> Once I get my new test PIX I'll try the UDP protocol and see if it is
> easier to interpret; right now I'm limited to sniffing real traffic.
> If nothing else, it'd be interesting to have an Ethereal plugin for
> Websense :)
> Kevin Kadow
> firewall-wizards mailing list
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Cheltenham) Ltd _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards