Hello,
I used to do some test for network monitor and email policies by putting some .eml file in the drop directory on a network monitor dedicated to our test/validation before deploy them on live platform. It is a nice feature which saves us from incident burst sevral times especially when you have some tricky policies with lot of detection rules and exceptions.
Is there a way to do the same for HTTP or IM policies ?
Regards.
Stephane,
I've never been an expert on the process, but if you search teh forums, this has been covered before. There is a way to take essentially a wireshark capture or a PCAP dump of HTTP traffic and place it in the Drop directory or one of the other directories, that will process the PCAP as if it were live traffic. I vaguely recall it may have involved replaying the PCAP file vs dropping the capture. Some searchign on the forums will likely outline the specifics of the folders to use.
for IM policies you can turn this on with a check of the box, AIM, Yahoo MSN are built in.
Skype is not on the list yet, as for the http traffic i have used a http traffic generator.
remeber you can do L7 filters via domains subnets or specific ip.
is it drop_pcap?
yes it is
thanks. I will use drop_pcap.