SLUG Mailing List Archives
Re: [SLUG] I need to do some snooping / detective work.
- To: Paul Robinson <p_d_robinson@xxxxxxxxxxxxxxxx>
- Subject: Re: [SLUG] I need to do some snooping / detective work.
- From: Howard Lowndes <lannet@xxxxxxxxxxxxx>
- Date: Sun May 6 14:33:01 2001
- Cc: slug@xxxxxxxxxxx
If you M$ server has been compromised and your not bothered at this stage
that it remains compromised for a while, and if your Internet to server
connection is on Ethernet, then just hang a passive sniffer on the
Ethernet and watch what passes.
However if your Internet connection is ppp them you will have to make the
sniffer box pretend to be the server box (IP etc) and you will have to
port forward to it. It will need to act like a proxy.
Always bear in mind that the intruder might be coming from a variety of
compromised sites and tracking him back could be a wild goose chase.
LANNet Computing Associates <http://lannetlinux.com>
"...well, it worked before _you_ touched it!"
On Sun, 6 May 2001, Paul Robinson wrote:
> Hi Sluggers,
> Can I have some feedback on whether the following is on the right
> track/ wrong/ completely not worth the effort.
> The place where I work has been compromised mainly due to the fact
> they are primarily a M$ shop and so they have no firewall currently (that
> is now going to change thankfully so our no. of linux boxes will be on the
> increase). They also have each individual workstation / server / printer
> given a internet ip address (This is also going to change once said
> firewall is set up) which was just asking for trouble.
> What I'd like to be able to do before I set up said firewall is
> set up a sort of packet sniffer box in between the internet and one of the
> servers that this person is using. Hopefully to find out who they are and
> what they are doing. I was currently working on setting up a linux box to
> install that netsaint package that I asked about a few weeks back. So
> currently we have a Slackware 4.0 (2.2.6 kernel) box which has the default
> setup + latest apache php 4 and mysql. I can add a second nic and turn off
> all services and use this box.
> It will have to fit in seamlessly and both my work colleagues and
> the intruder must not suspect any change. I was thinking that it would be
> something like below (excuse the crudeness of my diagram I don't draw them
> that often. Basic idea would have the packet sniffer similar to a firewall
> INTERNET ----------- ------------- Server
> | | (non real IP)
> | |
> Packet sniffer
> (2 x nic's & server orig IP
> The Packet Sniffer box would IP MASQ (or IPchains Forward perhaps?) all
> packets onto the compromised server. It would also have to log all
> suspect connections. I was thinking of using snort for this as I've heard
> it's pretty rcomprehensive and I've seen the ruleset generation page and
> think it's quite a snazzy feature.
> Thanks in advance,
> Paul (who is now out to spec up a firewall box and re-read the firewall howto)
> "The generation of random numbers is too important to be left to chance."
> -- anon.