Re: sniffer black box

From: Maxime Ducharme (maxime_at_pandore-designSPAMISBAD.com)
Date: 10/28/03


Date: Tue, 28 Oct 2003 16:53:05 -0500


Hi

I did the same thing with Snort NIDS : http://www.snort.org/

Snort can be configured to generate alerts based packets it sees,
and it is highly configurable.

It can send alerts via email, SMB messages (windows), etc
and log everything in a log file, in a database, ...

You may also tell Snort to log the content of these suspicious
packets, so you may do more precise analysis of "what was
going on yesterday night when the bandwidth peaked".

I usually run Snort on linux, you may see on this link which OS
Snort can run on :
http://www.snort.org/about.html

For real-time network analysis, I also recommend ntop from
http://www.ntop.org/ , with this tool you can fastly determine
which protocols are used on the network.

ex (Ntop has a web based interface) http://www.ntop.org/ntop2.jpg

but it cannot detect suspicious activity like Snort could do.

Hope it helps

Ciao

---------------------------------------------------------------
  Maxime Ducharme
  Administrateur reseau, Programmeur

----- Original Message -----
From: "Nosnos" <nosnos94@_NO_SPAM_wanadoo.fr>
Newsgroups:
alt.computer.security,alt.os.security,comp.os.linux.security,comp.security.f
irewalls
Sent: Tuesday, October 28, 2003 3:48 PM
Subject: sniffer black box

> hi,
>
> I must make a black box that will sniff and log all the traffic that are
> income and outcome from the net.
>
> His main function will be to supervise all the user of the lan, and warn a
> root if someone is using the comany's network for unappropriate using ....
>
> It must particularly filters http (the url and the date of the connexion)
,
> ftp, irc, pop, stmp ......
>
> I must put all informations in a database.
>
> Do you know a good sniffer (maybe another method ?.) that can check the
net
> in order to give me some precise informations about the traffic ?
>
> Which OS must I installed for better performance ?
>
> thx
>
>



Relevant Pages

  • Re: Snort false positive[Scanned]
    ... I get the exact alerts on the network I administer simply because I haven't ... "tuned" the Snort box to the network environment. ...
    (Focus-IDS)
  • Re: unidentified DOS "bad traffic"
    ... I'd do some closer looking at the source machine. ... Do you have an idea of the volume of packets that were coming from this ... A particular host has been completely flooding the network with ... My Snort output on ...
    (Incidents)
  • Re: sniffer black box
    ... Snort can be configured to generate alerts based packets it sees, ... For real-time network analysis, ...
    (comp.os.linux.security)
  • Re: sniffer black box
    ... Snort can be configured to generate alerts based packets it sees, ... For real-time network analysis, ...
    (comp.security.firewalls)
  • Re: unidentified DOS bad traffic
    ... large and/or small packets, and sometimes fragmented. ... flooding most gateways, and connects to an IRC channel as you describe. ... A particular host has been completely flooding the network ... My Snort output on this trace was filled with nothing but ...
    (Incidents)