Quoting djgoku [email protected]:

Today at work we are having problems with "Viruses/spyware/stuff" and I am wondering what I could setup in linux to say passive/active scanning a network for viruses/spyware/stuff.

Scanning? Try Nmap, http://insecure.org. Feature packed scanning of hosts, networks, etc. Does a good job of fingerprinting remote operating systems, which is handy for vulnerability assessment and risk analysis.

If you want something to do a passive fingerprint of a remote host, check out p0f, http://lcamtuf.coredump.cx/p0f.shtml. Passive OS fingerprinting sounds interesting, but I wonder, is there a faster way to passively fingerprint on a switched network?

Hm.

And stuff that looks for viruses/spyware/stuff trying to connect to ports it shouldn't be.

This is out of my realm of experience, as of this minute, some sort of packet inspecting firewall device (hardware or software?) that uses signatures to recognize naughty traffic, SNORT does this, no? If you want to use these same signatures to <em>stop</em> this traffic, you'll want an intrustion prevention system rather than an intrustion detection system.

A packet sniffer would probably be one thing, my I don't know enough about tcp/ip/udp/stuff to work it and understand what it is showing me. I guess I might have to start reading up on packet sniffing. So tools I think might be good ethereal, snort, nmap.

tcpdump, ethereal and nmap, I have used and they are great tools that you should have in your box. Snort probably is too, but I haven't had much experience with it, yet.

If you do much programming and it ever touches the network, you'll be glad you can reach for tcpdump or ethereal and look at what the client and the server are actually saying to one another.

I enjoy writing code and have recently had occasion to work on a project that pulls apart udp packets and examines their contents. I didn't do the socket side of the application, so that's still vague to me, but if you read the RFCs and know how to nest several loops together and can examine and compare array elements on your way through the loop, you can see everything and use regexps to filter out (or in) that which you care about.

I suspect there may be useful information available, even on switched networks.

On busy networks, I suspect the trick is keeping up with all the traffic, this is when one needs fast processing and adequate buffering (a.k.a. hardware) to host the code.

Best luck ever.

-- Dave Hull http://insipid.com

djgoku wrote:

Today at work we are having problems with "Viruses/spyware/stuff" and I am wondering what I could setup in linux to say passive/active scanning a network for viruses/spyware/stuff. And stuff that looks for viruses/spyware/stuff trying to connect to ports it shouldn't be. A packet sniffer would probably be one thing, my I don't know enough about tcp/ip/udp/stuff to work it and understand what it is showing me. I guess I might have to start reading up on packet sniffing. So tools I think might be good ethereal, snort, nmap.

Just look at what IPCop has included. They monitor for intrusion with Snort, NAT all connections to prevent direct machine connection unless the PC internal to the LAN initiated it, open/port forward only the ports you specifically open.

Since you mention viruses and spyware, you must be using Windows. If you have a Linux mailserver, add ClamAV or Amavis or some commercial product, several anti-virus companies now support Linux on the Mail/File server. On the Windows PC you should have some virus scanning product. You could occasionally scan with AdAware by Lavasoft AND also use Spybot Seek & Destroy. If you want active/constant scanning like antivirus software does, you have to pay for the Pro version. If you have a big problem it may be worth it. You may also want a local firewall like Zone Alarm. If you are using XP, you could at the very least activate the on-board personal firewall.

To sniff traffic on the LAN you could also use Nessus on a Linux box. It is semi-complicated. you have to put your NIC in promiscuous mode so it listens and logs all traffic. You need at least 256 MB ram and a decent size disk to capture all the logs and packets. Look at some of the tools avail. on Phlak, Knoppix-Std and INSERT Linux.

Start with the client PCs though and get them all clean first. You may just need to lock down regular users so they can't install software, turn off Direct X and other stuff in the browser, get them Firefox and remove their desktop icon for IE. This is how it starts.

---------------------------------------------- Somewhere there is a village missing an idiot.