Yeah I guess it would be a waste of resources. It would still prove to be a worthwhile setup to detect any future attempts though wouldn't it? I seem to recall reading on the snort site that the optimum setup is to have 1 snort running outside the firewall and one inside the firewall.. that way you can see who's attempted what and you can also see who got through with what. On a side note I was looking at gateway and dell for potential ready made firewalls. They both seem to offer easily configurable purpose built machines (eg gateways micros server or dell's power web server). Are there any problems with these servers? I am worried that they may not be fully configurable and updatable and was wondering if anyone has had any experience with these sort of servers. Is it better to just get a regular pc and set it all up manually? We kind of need a quick solution as productivity is suffering due to the effect that the compromise has had (DOS effects when the person assumes the identity of another machine on our network) Again, thanks in advance, Paul At 01:32 PM 6/05/2001 +1000, Del wrote: > > What I'd like to be able to do before I set up said firewall is > > set up a sort of packet sniffer box in between the internet and one of the > > servers that this person is using. Hopefully to find out who they are and > > what they are doing. > >Right answer, wrong problem. > >Who they are is a relayed attack through some other compromised machine >somewhere else, probably in Brazil, Pakistan, Greece, or Saudi Arabia. >That compromised machine is probably relaying data from a third machine >which in turn relays from a fourth ... etc. You may have to involve >Interpol in a search for the real hacker, or at least CERT. > >What are they doing? Probably going around the internet seeing how >many m4ch1n3s th3y can 0wn3d l1k3 y00r s0rry 4rs3 b3cuz th3y 4r3 >1337 d00d! If you're really lucky they might actually do something >useful with your machine, like D0S M1cr0s0ft!!! > >It's not worth your trouble. Besides, who cares? > >Find out how they got in. My guess: Because you didn't have a firewall. >End of answer. Once you have that answer, find out how to keep them out. >I think you can guess the answer to that one. > >Believe me, tracking hackers back to home base is just not worth it. >Besides, once your hacker is kicked out of his dial-up account for h4x0ring >your b0x, they'll just use one of the other 500 or so accounts they managed >to get off the phreakers mailing lists. If it's really important that you >track the guy down because there's some kind of industrial espionage issue >going on and you want to prosecute, then call in the experts to do it. > >Del > >-- >SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ >More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
