SLUG Mailing List Archives
[SLUG] Re: Snooping/Detective Work
- To: <slug@xxxxxxxxxxx>
- Subject: [SLUG] Re: Snooping/Detective Work
- From: Rebecca Richards <r.richards@xxxxxxxxxxxxxxx>
- Date: Mon May 7 11:00:02 2001
- User-agent: IMP/PHP IMAP webmail program 2.2.0-pre10
Paul Robinson <p_d_robinson@xxxxxxxxxxxxxxxx> said:
> They also have each individual workstation / server / printer
> given a internet ip address (This is also going to change once said
> firewall is set up) which was just asking for trouble.
When you reassign your IP addresses, I would suggest that you read RFC 1918
regarding use of private IP addresses, and do NAT at the firewall. You can
handle internal IP addresses through DHCP, giving your printers and main servers
static leases. Works quite well, and is far more manageable than administering
bucketloads of static addresses.
> What I'd like to be able to do before I set up said firewall is
> set up a sort of packet sniffer box in between the internet and one of the
> servers that this person is using. Hopefully to find out who they are and
> what they are doing.
That's fine, but you've prolly missed the window of opportunity to gather
evidentiary data which could be used to convict the attacker(s).
The best you'll probably be able to do is determine what exploits they used
etc. In the meantime, while setting up the sniffer etc, the attacker is using
your system(s) to compromise others, bounce mail off of, steal company IP, etc
Nice exercise to do from an administrative point of view, but not good from a
Also, make sure your IT manager(s) know what you're doing.
> I was currently working on setting up a linux box to
> install that netsaint package that I asked about a few weeks back. So
> currently we have a Slackware 4.0 (2.2.6 kernel) box which has the
> default setup + latest apache php 4 and mysql. I can add a second nic
> and turn off all services and use this box.
I would question the need for a web server plus scripting languages on this sort
of machine. The last thing you need is for your sniffer logs to be compromised
> It will have to fit in seamlessly and both my work colleagues and
> the intruder must not suspect any change. I was thinking that it would be
> something like below:
The diagram shows the existing network being split in half. For one, I don't
see how this can work without one or the other networks being re-addressed or
subnetted (which will impact users). Also, as soon as you bring up this box,
the attacker will know about it (through ARP broadcasts). Do you think the
attacker is NOT running a sniffer as well?
I would suggest that you configure this sniffer as such:
The sniffer machine sits off a hub on the network, with its' network interface
set to promiscuous mode. Because there is no re-subnetting etc, there is no
impact to existing users, or the attacker.
You should also install a firewall on this box, and turn off everything you
don't need (like web servers, X, databases, portmap, etc).
> I was thinking of using snort for this as I've heard
> it's pretty rcomprehensive and I've seen the ruleset generation page and
Snort is your friend in this case, along with the original sniffer logs.
When you're finished, burn the logs to CDROM.
Rebecca Richards, CCSA CCSE, Unix/Security Consultant, e-Secure Pty Ltd
"Secure in a Networked World" Phone: (02) 9438 4984 Fax: (02) 9438 4986
Suite 201, 2-4 Pacific Highway Mobile: 0412 823 206
St Leonards NSW Australia Email: r.richards@xxxxxxxxxxxxxxx
ACN 068 798 194 http://www.e-secure.com.au