sniffer black box

Discussion in 'Computer Security' started by Nosnos, Oct 28, 2003.

  1. Nosnos

    Nosnos Guest

    hi,

    I must make a black box that will sniff and log all the traffic that are
    income and outcome from the net.

    His main function will be to supervise all the user of the lan, and warn a
    root if someone is using the comany's network for unappropriate using ....

    It must particularly filters http (the url and the date of the connexion) ,
    ftp, irc, pop, stmp ......

    I must put all informations in a database.

    Do you know a good sniffer (maybe another method ?.) that can check the net
    in order to give me some precise informations about the traffic ?

    Which OS must I installed for better performance ?

    thx
    Nosnos, Oct 28, 2003
    #1
    1. Advertising

  2. Hi

    I did the same thing with Snort NIDS : http://www.snort.org/

    Snort can be configured to generate alerts based packets it sees,
    and it is highly configurable.

    It can send alerts via email, SMB messages (windows), etc
    and log everything in a log file, in a database, ...

    You may also tell Snort to log the content of these suspicious
    packets, so you may do more precise analysis of "what was
    going on yesterday night when the bandwidth peaked".

    I usually run Snort on linux, you may see on this link which OS
    Snort can run on :
    http://www.snort.org/about.html

    For real-time network analysis, I also recommend ntop from
    http://www.ntop.org/ , with this tool you can fastly determine
    which protocols are used on the network.

    ex (Ntop has a web based interface) http://www.ntop.org/ntop2.jpg

    but it cannot detect suspicious activity like Snort could do.

    Hope it helps

    Ciao

    ---------------------------------------------------------------
    Maxime Ducharme
    Administrateur reseau, Programmeur


    ----- Original Message -----
    From: "Nosnos" <nosnos94@_NO_SPAM_wanadoo.fr>
    Newsgroups:
    alt.computer.security,alt.os.security,comp.os.linux.security,comp.security.f
    irewalls
    Sent: Tuesday, October 28, 2003 3:48 PM
    Subject: sniffer black box


    > hi,
    >
    > I must make a black box that will sniff and log all the traffic that are
    > income and outcome from the net.
    >
    > His main function will be to supervise all the user of the lan, and warn a
    > root if someone is using the comany's network for unappropriate using ....
    >
    > It must particularly filters http (the url and the date of the connexion)

    ,
    > ftp, irc, pop, stmp ......
    >
    > I must put all informations in a database.
    >
    > Do you know a good sniffer (maybe another method ?.) that can check the

    net
    > in order to give me some precise informations about the traffic ?
    >
    > Which OS must I installed for better performance ?
    >
    > thx
    >
    >
    Maxime Ducharme, Oct 28, 2003
    #2
    1. Advertising

  3. Nosnos wrote:

    > I must make a black box that will sniff and log all the traffic that are
    > income and outcome from the net.
    > His main function will be to supervise all the user of the lan, and warn a
    > root if someone is using the comany's network for unappropriate using ....
    > It must particularly filters http (the url and the date of the connexion)
    > , ftp, irc, pop, stmp ......
    > I must put all informations in a database.
    > Do you know a good sniffer (maybe another method ?.) that can check the
    > net in order to give me some precise informations about the traffic ?
    > Which OS must I installed for better performance ?


    Look at "ipaudit" it logs every connection, is high perfomant, and easy to
    install. OS ? any modern Linux will do, i prefer debian.

    cu Florian
    Florian Reitmeir, Oct 29, 2003
    #3
  4. Nosnos

    Peter Eberz Guest

    Hello,
    beside the technical posibilities of doing so you should consider as well
    your local law on this topic before ending in jail. The regulations are
    different from country to country and I am not an expert on it at all. The
    legal regulations normaly limit what you are allowed to do and if you are
    allowed to collect the date how long are you allowed to store it. Further,
    normaly the employees must be informed that such a sniffer exists on the
    network. Just to lay out a few cases to make it clear how sensitive this
    topic is:
    One of your colleags is sending an email to his doctor. You are not
    suppost to read that nor to store this in a database where maybe someone
    else can read it as well.
    When you are going to log smtp traffic I don't now if you are allowed to
    read the emails of your boss? If you use secured smtp there is no
    information to retrieve at all except that someone sends an email.
    An other issue is the security of that sniffer machine that stores all
    this sensible informations. You have to secure it very well that nobody
    else gets access to the collected data.

    Depending on what kind of problems you are facing there might be better
    and easier solutions.
    - If there is access to internet services that are not related to work.
    (eDonkey,..)
    Block traffic to these ports on the firewall.
    - If a single user is utilizing all the bandwidth from your external
    connection.
    Use a packet shaper or any other way of bandwidth control.
    - Access to non work related websites.
    Create a simple log which contains just date,time,local computer, user
    name and the URL. Make an internal agreement inside your company that this
    list will be published on your intranet and can be viewed by everyone.
    Use a Proxy to do further filtering.


    Bye,
    Peter



    > hi,
    >
    > I must make a black box that will sniff and log all the traffic that are
    > income and outcome from the net.
    >
    > His main function will be to supervise all the user of the lan, and warn a
    > root if someone is using the comany's network for unappropriate using ....
    >
    > It must particularly filters http (the url and the date of the connexion) ,
    > ftp, irc, pop, stmp ......
    >
    > I must put all informations in a database.
    >
    > Do you know a good sniffer (maybe another method ?.) that can check the net
    > in order to give me some precise informations about the traffic ?
    >
    > Which OS must I installed for better performance ?
    >
    > thx
    Peter Eberz, Oct 29, 2003
    #4
  5. Nosnos

    Nosnos Guest


    > Hi

    Hi thx for your answer

    >
    > I did the same thing with Snort NIDS : http://www.snort.org/

    Yes the famous Snort
    But was your Box an IDS or a snffer liker what I must do ?

    >
    > Snort can be configured to generate alerts based packets it sees,
    > and it is highly configurable.

    Yes but the great question is : Can we use Snort only to log the traffic
    with the following information :
    the Source IP (or more) - The destination (IP or more) - protocol -
    eventually more info like date, filename if ftp etcetc (more info could be
    appreciate)

    I know that Snort is a good IDS, and it contains a sniffer mode, but the
    other question is : what is better between using Snort sniffer mode (The log
    seems to be hard to parse) and using Snort in IDS mode and set the rules for
    a full sniffer use (I don't know if it is possible) and let the large tools
    avaible reading logs/DataBase produce by the IDS to analyse the traffic
    ......

    I precise that for the moment I do not want IDS functions ... just analyse
    the using of the LAN by everybody
    >
    > It can send alerts via email, SMB messages (windows), etc
    > and log everything in a log file, in a database, ...

    Yes I saw it, it is very powerfull

    >
    > You may also tell Snort to log the content of these suspicious
    > packets, so you may do more precise analysis of "what was
    > going on yesterday night when the bandwidth peaked".
    >
    > I usually run Snort on linux, you may see on this link which OS
    > Snort can run on :
    > http://www.snort.org/about.html

    I think that I will run it on gentoo, but is a linux will be enought
    powerfull with eth0 ?

    >
    > For real-time network analysis, I also recommend ntop from
    > http://www.ntop.org/ , with this tool you can fastly determine
    > which protocols are used on the network.
    >
    > ex (Ntop has a web based interface) http://www.ntop.org/ntop2.jpg
    >
    > but it cannot detect suspicious activity like Snort could do.

    Ok Thx I will test it

    >
    > Hope it helps

    Sure it helps me, thx a lot
    >
    > Ciao

    ++
    A bientot ;)
    >
    > ---------------------------------------------------------------
    > Maxime Ducharme
    > Administrateur reseau, Programmeur
    Nosnos, Oct 30, 2003
    #5
  6. Nosnos

    Nosnos Guest


    >
    > Look at "ipaudit" it logs every connection, is high perfomant, and easy to
    > install. OS ? any modern Linux will do, i prefer debian.

    Maybe gentoo for me, but maybe it is not a good solution ?

    Maybe freebsd, openBsd, netBsd ?
    >
    > cu Florian
    Nosnos, Oct 30, 2003
    #6
  7. Nosnos

    Nosnos Guest


    > Hello,
    > beside the technical posibilities of doing so you should consider as well
    > your local law on this topic before ending in jail. The regulations are
    > different from country to country and I am not an expert on it at all. The
    > legal regulations normaly limit what you are allowed to do and if you are
    > allowed to collect the date how long are you allowed to store it. Further,
    > normaly the employees must be informed that such a sniffer exists on the
    > network. Just to lay out a few cases to make it clear how sensitive this

    Yes, my Boss tell me that before installing the black box, every employees
    will be informed of the system, and must sign up a paper (a charter) in
    which are specify that the company's network must not be using for personal
    usage.

    > topic is:
    > One of your colleags is sending an email to his doctor. You are not
    > suppost to read that nor to store this in a database where maybe someone
    > else can read it as well.

    Yes, it is not planned to store the contains of mail or of files downloaded.
    The box will just store at least the source (IP or hostname) and the
    destination (url, IP, hostname), the protocol ... and maybe other
    informations (that the law permit).

    > When you are going to log smtp traffic I don't now if you are allowed to
    > read the emails of your boss? If you use secured smtp there is no
    > information to retrieve at all except that someone sends an email.
    > An other issue is the security of that sniffer machine that stores all
    > this sensible informations. You have to secure it very well that nobody
    > else gets access to the collected data.

    Yes it is very critique to have a secure environment ...

    >
    > Depending on what kind of problems you are facing there might be better
    > and easier solutions.
    > - If there is access to internet services that are not related to work.
    > (eDonkey,..)
    > Block traffic to these ports on the firewall.

    Yes, but our goal is just loging traffic and securing our own box, security
    of the network is for the admnistrator

    > - If a single user is utilizing all the bandwidth from your external
    > connection.
    > Use a packet shaper or any other way of bandwidth control.
    > - Access to non work related websites.
    > Create a simple log which contains just date,time,local computer, user
    > name and the URL. Make an internal agreement inside your company that this
    > list will be published on your intranet and can be viewed by everyone.

    Yes ;))

    > Use a Proxy to do further filtering.

    Just a question that is coming to my mind : to filter all the traffic with a
    sniffer, must we installed a proxy and configure it to redirect all the
    traffic toward the proxy ?
    This method will be a little harder to do

    >
    >
    > Bye,
    > Peter
    >
    Nosnos, Oct 30, 2003
    #7
  8. "Nosnos" <nosnos94@_NO_wanadoo_SPAM_.fr> wrote in message
    news:bnqj59$83v$...
    >
    > > Hi

    > Hi thx for your answer
    >


    Hi again

    > >
    > > I did the same thing with Snort NIDS : http://www.snort.org/

    > Yes the famous Snort
    > But was your Box an IDS or a snffer liker what I must do ?


    No


    >
    > >
    > > Snort can be configured to generate alerts based packets it sees,
    > > and it is highly configurable.

    > Yes but the great question is : Can we use Snort only to log the traffic
    > with the following information :
    > the Source IP (or more) - The destination (IP or more) - protocol -
    > eventually more info like date, filename if ftp etcetc (more info could be
    > appreciate)
    >
    > I know that Snort is a good IDS, and it contains a sniffer mode, but the
    > other question is : what is better between using Snort sniffer mode (The

    log
    > seems to be hard to parse) and using Snort in IDS mode and set the rules

    for
    > a full sniffer use (I don't know if it is possible) and let the large

    tools
    > avaible reading logs/DataBase produce by the IDS to analyse the traffic
    > .....


    Depends if you want to log every traffic or only suspicious traffic

    I would suggest sniffer mode with some rules to makes logs easier to parse


    >
    > I precise that for the moment I do not want IDS functions ... just analyse
    > the using of the LAN by everybody
    > >


    Like Florian said, ipaudit would be nice too


    > > It can send alerts via email, SMB messages (windows), etc
    > > and log everything in a log file, in a database, ...

    > Yes I saw it, it is very powerfull
    >
    > >
    > > You may also tell Snort to log the content of these suspicious
    > > packets, so you may do more precise analysis of "what was
    > > going on yesterday night when the bandwidth peaked".
    > >
    > > I usually run Snort on linux, you may see on this link which OS
    > > Snort can run on :
    > > http://www.snort.org/about.html

    > I think that I will run it on gentoo, but is a linux will be enought
    > powerfull with eth0 ?


    my box ran on 40 mbits traffic without problems


    >
    > >
    > > For real-time network analysis, I also recommend ntop from
    > > http://www.ntop.org/ , with this tool you can fastly determine
    > > which protocols are used on the network.
    > >
    > > ex (Ntop has a web based interface) http://www.ntop.org/ntop2.jpg
    > >
    > > but it cannot detect suspicious activity like Snort could do.

    > Ok Thx I will test it
    >
    > >
    > > Hope it helps

    > Sure it helps me, thx a lot
    > >
    > > Ciao

    > ++
    > A bientot ;)



    À plus :-]


    ---------------------------------------------------------------
    Maxime Ducharme
    Administrateur reseau, Programmeur
    Maxime Ducharme, Oct 30, 2003
    #8
  9. "Nosnos" <nosnos94@_NO_SPAM_wanadoo.fr> wrote in message
    news:XCAnb.1020$...
    > hi,
    >
    > I must make a black box that will sniff and log all the traffic that are
    > income and outcome from the net.
    >
    > His main function will be to supervise all the user of the lan, and warn a
    > root if someone is using the comany's network for unappropriate using ....
    >
    > It must particularly filters http (the url and the date of the connexion)

    ,
    > ftp, irc, pop, stmp ......
    >
    > I must put all informations in a database.
    >
    > Do you know a good sniffer (maybe another method ?.) that can check the

    net
    > in order to give me some precise informations about the traffic ?
    >
    > Which OS must I installed for better performance ?
    >
    > thx


    Sounds like you need to talk to "SandStorm" in Cambridge. They make a box to
    do precisely this, capable of tracking of tracking and re-assembling every
    connection of a fully loaded 100 MHz feed.

    The other question is why you want to do this, and what you will do with the
    data, which are very serious policy issues your company should discuss with
    its lawyers before proceeding.
    Nico Kadel-Garcia, Oct 31, 2003
    #9
  10. Nosnos

    ral Guest

    Maxime Ducharme wrote:
    <snip>
    >
    > For real-time network analysis, I also recommend ntop from
    > http://www.ntop.org/ , with this tool you can fastly determine
    > which protocols are used on the network.


    This is a good tool. Thx's for the info.

    Best regards,



    <snip>
    > Ciao
    >
    > ---------------------------------------------------------------
    > Maxime Ducharme
    > Administrateur reseau, Programmeur
    >
    ral, Nov 1, 2003
    #10
  11. Nosnos

    nosnos Guest


    > Sounds like you need to talk to "SandStorm" in Cambridge. They make a box

    to
    > do precisely this, capable of tracking of tracking and re-assembling every
    > connection of a fully loaded 100 MHz feed.

    Ok i will see
    >
    > The other question is why you want to do this, and what you will do with

    the
    > data, which are very serious policy issues your company should discuss

    with
    > its lawyers before proceeding.

    Yes before installing this system, every employees have to sign up policy
    paper that specify that the lan is analyse by a black box.
    >
    >
    nosnos, Nov 2, 2003
    #11
  12. Nosnos

    nosnos Guest


    > Depends if you want to log every traffic or only suspicious traffic
    >
    > I would suggest sniffer mode with some rules to makes logs easier to parse

    OK

    > >
    > > >
    > > > You may also tell Snort to log the content of these suspicious
    > > > packets, so you may do more precise analysis of "what was
    > > > going on yesterday night when the bandwidth peaked".
    > > >
    > > > I usually run Snort on linux, you may see on this link which OS
    > > > Snort can run on :
    > > > http://www.snort.org/about.html

    > > I think that I will run it on gentoo, but is a linux will be enought
    > > powerfull with eth0 ?

    >
    > my box ran on 40 mbits traffic without problems

    I want to know if your black box can work on a lan with Switch ?
    Where is your BB on your network ? It must surely be on the proxy, isn't it
    ? If it not, how could it analyse all trafics if the lan is connectd by
    switch ?

    The box must be placed ear the output on the internet ... so it must have 2
    network cards ? one for the input data (from the company network), the
    second for the output data (so the same data) that go toward the net ?

    ++
    nosnos, Nov 2, 2003
    #12
  13. Nosnos

    Bob George Guest

    Nosnos wrote:
    > [...]
    > Yes the famous Snort
    > But was your Box an IDS or a snffer liker what I must do ?


    Snort can EASILY be configured to do what you're describing. It can be
    used in MANY modes, not only IDS. You can sniff everything, or be very
    specific about what it logs. I've used it many times for network
    testing. All you need to do is master the filter language rules, then
    have a basic understanding of what traffic is of interest. There are
    existing rules that give plenty of starting points.

    > Yes but the great question is : Can we use Snort only to log the traffic
    > with the following information :
    > the Source IP (or more)


    Yes (easy)

    > - The destination (IP or more)


    Yes (easy)

    > - protocol -


    Yes (easy)

    > eventually more info like date, filename if ftp etcetc (more info could be
    > appreciate)


    Yes (though may require tweaking existing rules, or creating new ones --
    not hard.)

    > I know that Snort is a good IDS, and it contains a sniffer mode, but the
    > other question is : what is better between using Snort sniffer mode (The log
    > seems to be hard to parse)


    That's more of a report tool function. There are several you can modify,
    depending on what you want.

    > and using Snort in IDS mode and set the rules for
    > a full sniffer use (I don't know if it is possible)


    Well, in looose terms, a NIDS is a "sniffer" that looks for specific
    (configurable) patterns, so yes.

    > I precise that for the moment I do not want IDS functions ... just analyse
    > the using of the LAN by everybody


    Don't get too caught up on the term "IDS". Snort can be used in many
    modes, including exactly what you're describing.

    > I think that I will run it on gentoo, but is a linux will be enought
    > powerfull with eth0 ?


    That will depend on what you try to capture. The trick is to have JUST
    ENOUGH rules to capture what's of interest, while letting the
    uninteresting traffic go by without logging etc.

    As far as sniffing on a switched network: Short of doing something like
    ARP spoofing, your best bet is to position the "black box" in a location
    where it will see all of the traffic of interest. If you're interested
    in Internet usage, then put it near the Internet ingress/egress point
    (firewall likely). Most higher end switches support a "span" (cisco) or
    monitor port of some sort which will let you see ALL traffic on the
    switch (or at least the firewall interface port) for monitoring. I've
    done this with various Cisco, and recently 3Com gear.

    - Bob
    Bob George, May 11, 2004
    #13
  14. Nosnos

    g33k Guest

    On 2003-10-28 14:48:53 -0600, "Nosnos" <nosnos94@_NO_SPAM_wanadoo.fr> said:

    > hi,
    >
    > I must make a black box that will sniff and log all the traffic that are
    > income and outcome from the net.
    >
    > His main function will be to supervise all the user of the lan, and warn a
    > root if someone is using the comany's network for unappropriate using ....
    >
    > It must particularly filters http (the url and the date of the connexion) ,
    > ftp, irc, pop, stmp ......
    >
    > I must put all informations in a database.
    >
    > Do you know a good sniffer (maybe another method ?.) that can check the net
    > in order to give me some precise informations about the traffic ?
    >
    > Which OS must I installed for better performance ?
    >
    > thx


    I am currently working for a startup IT company as their security
    consultant, and will be installing an invisible sniffer on the network
    capable of doing what you're looking for. I would _highly_ suggest
    using Network Security Monitoring.

    I have mirrored a copy of the whitepaper here:
    http://www.geekgalore.com/~seraph/nsm.pdf

    This gives a layered approach to your situation, and is very flexible.
    The pdf explains everything much better than I might be able to, and
    also gives a solution to only logging the information you'd like. Quite
    a remarkable technique and grouping of software, really.
    g33k, May 11, 2004
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alain Viguier

    HTTP Sniffer extension

    Alain Viguier, Sep 17, 2003, in forum: Firefox
    Replies:
    0
    Views:
    11,201
    Alain Viguier
    Sep 17, 2003
  2. Sam Soh

    Sniffer on 3550

    Sam Soh, Jun 23, 2003, in forum: Cisco
    Replies:
    1
    Views:
    2,410
    Erik Tamminga
    Jun 23, 2003
  3. spikestik

    Network Sniffer on a Cisco 4000

    spikestik, Jul 14, 2003, in forum: Cisco
    Replies:
    1
    Views:
    2,558
    M.C. van den Bovenkamp
    Jul 14, 2003
  4. Taishi

    sniffer traces

    Taishi, Oct 14, 2003, in forum: Cisco
    Replies:
    3
    Views:
    672
    Walter Roberson
    Oct 15, 2003
  5. Oystein

    Managment/traffic sniffer?

    Oystein, Nov 4, 2003, in forum: Cisco
    Replies:
    1
    Views:
    393
    Andrey Tarasov
    Nov 4, 2003
Loading...

Share This Page