[SLUG] I need to do some snooping / detective work.

Sat, 05 May 2001 19:35:09 -0700 

Hi Sluggers,

         Can I have some feedback on whether the following is on the right 
track/ wrong/ completely not worth the effort.

         The place where I work has been compromised mainly due to the fact 
they are primarily a M$ shop and so they have no firewall currently (that 
is now going to change thankfully so our no. of linux boxes will be on the 
increase). They also have each individual workstation / server / printer 
given a internet ip address (This is also going to change once said 
firewall is set up) which was just asking for trouble.

         What I'd like to be able to do before I set up said firewall is 
set up a sort of packet sniffer box in between the internet and one of the 
servers that this person is using. Hopefully to find out who they are and 
what they are doing. I was currently working on setting up a linux box to 
install that netsaint package that I asked about a few weeks back. So 
currently we have a Slackware 4.0 (2.2.6 kernel) box which has the default 
setup + latest apache php 4 and mysql. I can add a second nic and turn off 
all services and use this box.

         It will have to fit in seamlessly and both my work colleagues and 
the intruder must not suspect any change. I was thinking that it would be 
something like below (excuse the crudeness of my diagram I don't draw them 
that often. Basic idea would have the packet sniffer similar to a firewall 
setup.




INTERNET -----------         ------------- Server
                    |         |             (non real IP)
                    |         |
                    Packet sniffer
                    (2 x nic's & server orig IP

The Packet Sniffer box would IP MASQ (or IPchains Forward perhaps?) all 
packets onto the compromised server. It would also have to log all 
suspect  connections. I was thinking of using snort for this as I've heard 
it's pretty rcomprehensive and I've seen the ruleset generation page and 
think it's quite a snazzy feature.

Thanks in advance,
Paul (who is now out to spec up a firewall box and re-read the firewall howto)

"The generation of random numbers is too important to be left to chance."
-- anon.



-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug

Reply via email to