Re: [fw-wiz] Websense protocol Version 4?

From: Kevin Sheldrake (kev_at_electriccat.co.uk)
Date: 03/14/05

  • Next message: Luke Butcher: "RE: [fw-wiz] Cisco acls"
    To: Kevin <kkadow@gmail.com>, firewall-wizards@honor.icsalabs.com
    Date: Mon, 14 Mar 2005 12:34:35 -0000
    
    

    Hello

    You might find the Protocol Informatics Project useful for protocol
    fuzzing. Not used it myself, but the example using icmp looks right up
    your street. http://insidiae.org/PI/

    Kev

    > On Mon, 7 Mar 2005 10:42:14 -0500, Paul Melson <psmelson@comcast.net>
    > wrote:
    >> > Kevin Kadow wrote:
    >> > I see from PIX and Websense documentation that the recommended
    >> > configuration for URL filtering is to use the following PIX command:
    >> > url-server host <IP-NUMBER> protocol UDP version 4
    >> >
    >> > Websense and PIX can also be configured to use a TCP protocol.
    >> >
    >> > Are either of these protocols documented anywhere?
    >> > I searched both Cisco and Websense, but did not see specifications
    >> for the
    >> > communication protocol between the PIX and the filter engine.
    >> >
    >> > Information on the Websense site shows that V4.x uses port 15868 for
    >> the
    >> "Filtering service", and 15871 for blocking messages, but does not
    >> document
    >> the protocol itself.
    >>
    >> The WebSense protocols are proprietary, and not publicly available (at
    >> least
    >> that I've seen). There also appear to be differences between the
    >> WebSense
    >> protocol used for PIX firewalls and the one used for Check Point
    >> firewalls
    >> (UFP).
    >>
    >> Port 15868 listens for the actual url-filter requests from the firewall
    >> and
    >> issues a response code based on matching. Port 15871 is something like
    >> an
    >> HTTP server and issues an alert that is inserted in-stream to the
    >> browser,
    >> letting the user know that WebSense has blocked the URL they've
    >> requested.
    >>
    >> PaulM
    >
    > Thanks.
    >
    > We're making some progress on unpacking the Websense protocol
    > on TCP/15686 from examination of sniffer traces. Much of the contents
    > of a TCP request is obvious, (the URL, the client IP as four binary
    > bytes, etc),
    > but there are also several binary bytes which are static across requests
    > and
    > some fixed-length blocks of binary which change (checksum?) all of which
    > the
    > purpose is not immediately obvious. No signs of encryption.
    >
    > Once I get my new test PIX I'll try the UDP protocol and see if it is
    > perhaps
    > easier to interpret; right now I'm limited to sniffing real traffic.
    >
    > If nothing else, it'd be interesting to have an Ethereal plugin for
    > Websense :)
    >
    >
    > Kevin Kadow
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >
    >

    -- 
    Kevin Sheldrake MEng MIEE CEng CISSP
    Electric Cat (Cheltenham) Ltd
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Luke Butcher: "RE: [fw-wiz] Cisco acls"

    Relevant Pages

    • Re: [fw-wiz] Websense protocol Version 4?
      ... >> Websense and PIX can also be configured to use a TCP protocol. ... but there are also several binary bytes which are static across requests and ...
      (Firewall-Wizards)
    • RE: [fw-wiz] Websense protocol Version 4?
      ... There also appear to be differences between the WebSense ... protocol used for PIX firewalls and the one used for Check Point firewalls ... I see from PIX and Websense documentation that the recommended configuration ... Websense and PIX can also be configured to use a TCP protocol. ...
      (Firewall-Wizards)
    • Re: USBIP protocol
      ... you mean when we rev the protocol to version 2 ... Set Configuration and Set Interface are requests on the command pipe ... according to the usb 2.0 spec (these would be a control message ... request on the command pipe. ...
      (Linux-Kernel)
    • How to manage static buffers
      ... I'm writing two half-duplex protocols ... waits for a request, processes it and answers. ... but the payload are the same. ... The first is to allocate the answer buffer inside protocol_x: ...
      (comp.lang.c)
    • Re: help abt HTTP protocol !
      ... >> HTTP protocol connection, as HTTP itself and not any other protocol. ... > The HTTP request could be sent one byte at a time, ... > hundreds of packets. ...
      (comp.security.firewalls)