Security for Network

Dave Hull dphull at insipid.com
Wed Oct 20 21:30:33 CDT 2004 

Quoting djgoku <djgoku at gmail.com>:

> Today at work we are having problems with "Viruses/spyware/stuff" and
> I am wondering what I could setup in linux to say passive/active
> scanning a network for viruses/spyware/stuff.

Scanning? Try Nmap, http://insecure.org. Feature packed scanning of hosts,
networks, etc. Does a good job of fingerprinting remote operating systems,
which is handy for vulnerability assessment and risk analysis.

If you want something to do a passive fingerprint of a remote host, check out
p0f, http://lcamtuf.coredump.cx/p0f.shtml. Passive OS fingerprinting sounds
interesting, but I wonder, is there a faster way to passively fingerprint on a
switched network?

Hm.

> And stuff that looks for viruses/spyware/stuff trying to connect to ports it
> shouldn't be.

This is out of my realm of experience, as of this minute, some sort of packet
inspecting firewall device (hardware or software?) that uses signatures to
recognize naughty traffic, SNORT does this, no? If you want to use these same
signatures to <em>stop</em> this traffic, you'll want an intrustion prevention
system rather than an intrustion detection system.

> A packet sniffer would probably be one thing, my I don't know enough
> about tcp/ip/udp/stuff to work it and understand what it is showing
> me. I guess I might have to start reading up on packet sniffing. So
> tools I think might be good ethereal, snort, nmap.

tcpdump, ethereal and nmap, I have used and they are great tools that you should
have in your box. Snort probably is too, but I haven't had much experience with
it, yet.

If you do much programming and it ever touches the network, you'll be glad you
can reach for tcpdump or ethereal and look at what the client and the server
are actually saying to one another.

I enjoy writing code and have recently had occasion to work on a project that
pulls apart udp packets and examines their contents. I didn't do the socket side
of the application, so that's still vague to me, but if you read the RFCs and
know how to nest several loops together and can examine and compare array
elements on your way through the loop, you can see everything and use regexps to
filter out (or in) that which you care about.

I suspect there may be useful information available, even on switched networks.

On busy networks, I suspect the trick is keeping up with all the traffic, this
is when one needs fast processing and adequate buffering (a.k.a. hardware) to
host the code.

Best luck ever.

--
Dave Hull
http://insipid.com

More information about the Kclug mailing list