DLP: Data In-motionThe key concepts are: detecting data loss within network traces. Lab Presentation |
Wireshark Traces
In the following use the trace, and then use the filter to find the content [Tutorial]
- PNG file: here. Filter: http contains "\x89\x50\x4E\x47"
- PDF file: here. Filter: http contains "%PDF"
- GIF file: here. Filter: http contains "GIF89a"
- ZIP file: here. Filter: http contains "\x50\x4B\x03\x04"
- JPEG file: here. Filter: http contains "\xff\xd8"
- MP3 file: here. Filter: http contains "\x49\x44\x33"
- RAR file: here. Filter: http contains "\x52\x61\x72\x21\x1A\x07\x00"
- AVI file: here. Filter: http contains "\x52\x49\x46\x46"
- SWF file: here. Filter: http contains "\x46\x57\x53"
- GZip file: here. Filter: http contains "\x1F\x8B\x08"
- Email addresses: here. Filter: smtp matches "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9._%+-]"
- IP address: here. Filter: http matches "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}"
- Credit card details (Mastercard): here. Filter: smtp matches "5\\d{3}(\\s|-)?\\d{4}(\\s|-)?\\d{4}(\\s|-)?\\d{4}"
- Credit card details (Visa): here. Filter: smtp matches "4\\d{3}(\\s|-)?\d{4}(\\s|-)?\\d{4}(\\s|-)?\\d{4}"
- Credit card details (Am Ex): here. Filter: smtp matches "3\\d{3}(\\s|-)?\\d{6}(\\s|-)?\\d{5}"
- Domain name: here. Filter: http matches "[a-zA-Z0-9\-\.]+\.(com|org|net|mil|edu|COM|ORG|NET|MIL|EDU|UK)"