On 02/19/2010 07:59 AM, Wendell Nichols wrote: > Rick Stevens wrote: >> On 02/18/2010 03:01 PM, Patrick O'Callaghan wrote: >> >>> On Thu, 2010-02-18 at 13:47 -0800, Rick Stevens wrote: >>> >>>> On 02/18/2010 09:52 AM, Wendell Nichols wrote: >>>> >>>>> I would like to monitor network connections on my servers. Users run >>>>> all sorts of stuff and I want to know when some chat client starts >>>>> shipping data to a system in china etc. >>>>> >>>> Snort is probably the best (and complicated) network sniffer out >>>> there. It can do some serious analysis. It also eats up CPU cycles >>>> like crazy. You've been warned. >>>> >>> Other things to look at: ntop and wireshark (not for the faint of >>> heart). >>> >> >> Wireshark, of course, being the GUI side of tcpdump. But you knew that! > Thankyou for your input. I've looked at all these things and a few > more. One of the more interesting tools is etherape (available at your > friendly neighbourhood fedora repo site). It gives you a nice picture > of what machines on your lan are connected to what machines both off and > on your lan. The thing it doesn't tell me is what app is responsible > for the connection and where the end point is. There is also no > logging. I have snort on my firewall and I'll look more closely at it > before I move on. > I'm mostly concerned with apps on windows machines on my local lan > having connections to machines which are not expected. You read nearly > every week about some social networking game or app (tomtom skype?) > which funnels the chat content to either a foreign government or an > organization collecting identities for fraud purposes. I'm interested > in tools which might plug those holes... but perhaps they don't exist or > are out of the reach of the "little guy" :) > Thanks again for your thoughts.. snort isn't that hard to set up using its default rules. The trick is in tweaking them to analyze what's going on. Remember, even at the firewall all you have available to you is IP addresses and ports involved. You have no visibility as to what application on any given machine is opening those connections unless you're on the machine involved and doing something like lsof -i :portnumber-of-interest while the connection is being made or is open (I don't know if there is an equivalent application under Windows). With iptables, you can, of course, log all outgoing packets with the SYN bit set (your machine trying to open a TCP connection): iptables -A OUTPUT -p tcp -m tcp --tcp-flags SYN SYN -j LOG but again, you don't know which application was doing that. If you're intensely paranoid, put rules on your firewall that block all outgoing packets to anything other than well-known ports that you are fairly sure you'll use. If someone whines that they can't do something, sort out what it is, verify the IPs and ports involved and put a "hole" in your firewall to allow access for that port to that specific destination IP. Do this VERY reluctantly...a firewall that resembles swiss cheese is no longer a firewall. Network security and security analysis are pretty complex beasts, which is why good consultants in those areas can make some serious money. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer ricks@xxxxxxxx - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - What's small, yellow and very, VERY dangerous? The root canary! - ---------------------------------------------------------------------- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines