Quoting djgoku [email protected]:
Today at work we are having problems with "Viruses/spyware/stuff" and I am wondering what I could setup in linux to say passive/active scanning a network for viruses/spyware/stuff.
Scanning? Try Nmap, http://insecure.org. Feature packed scanning of hosts, networks, etc. Does a good job of fingerprinting remote operating systems, which is handy for vulnerability assessment and risk analysis.
If you want something to do a passive fingerprint of a remote host, check out p0f, http://lcamtuf.coredump.cx/p0f.shtml. Passive OS fingerprinting sounds interesting, but I wonder, is there a faster way to passively fingerprint on a switched network?
Hm.
And stuff that looks for viruses/spyware/stuff trying to connect to ports it shouldn't be.
This is out of my realm of experience, as of this minute, some sort of packet inspecting firewall device (hardware or software?) that uses signatures to recognize naughty traffic, SNORT does this, no? If you want to use these same signatures to <em>stop</em> this traffic, you'll want an intrustion prevention system rather than an intrustion detection system.
A packet sniffer would probably be one thing, my I don't know enough about tcp/ip/udp/stuff to work it and understand what it is showing me. I guess I might have to start reading up on packet sniffing. So tools I think might be good ethereal, snort, nmap.
tcpdump, ethereal and nmap, I have used and they are great tools that you should have in your box. Snort probably is too, but I haven't had much experience with it, yet.
If you do much programming and it ever touches the network, you'll be glad you can reach for tcpdump or ethereal and look at what the client and the server are actually saying to one another.
I enjoy writing code and have recently had occasion to work on a project that pulls apart udp packets and examines their contents. I didn't do the socket side of the application, so that's still vague to me, but if you read the RFCs and know how to nest several loops together and can examine and compare array elements on your way through the loop, you can see everything and use regexps to filter out (or in) that which you care about.
I suspect there may be useful information available, even on switched networks.
On busy networks, I suspect the trick is keeping up with all the traffic, this is when one needs fast processing and adequate buffering (a.k.a. hardware) to host the code.
Best luck ever.
-- Dave Hull http://insipid.com