[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] sniffing network
Hi, You said: #I have just started with a new company and to my horror discovered that the #network has been infested with sniffers and probes. #Conventual anti virus software does not detect these encoutered, any ideas #how I could go about combating these bastards???? #I have been able to find out whre most of them are, but failed to get rid of #them. What is the gig with the 'taps' Shomiti Surveyor or Fluke type network traffic monitoring/troubleshooting gear?? In situations where active sniffers are in place on a network, for whatever reason, it is standard practice to have a 'cron job' Shell script send tasty login traffic to a Null auth server ( Telnet service, IMAP, POP3, etc not being used for anything else). For example: username: very important person password: really qrypt out password Have a few of these 5 to 10, spawned every 15 to 25 min and create Snort rules, to parse out source, then monitor to see if folks are actually listening to traffic off the wire and trying to use that info....basically that is all you can do within the context you describe. You can get complex, random IPs, spoof source IPs in origination messages filter out cron spawned traffic from, etc.... But, like that was back in the day, now we have VLANs :O (no yeah, know that VLANs can be jumped and sniffed and they should not be used, or relied upon, as a security device as they are a network function...but it is something you can do to segment traffic...and can be used if you know and understand the limitations). However, if the 'taps' are in place for troubleshooting VLANs more than likely will not be a welcome addition by the owners of the 'taps' So you are back to the whole, spoofed tasty traffic and monitoring via IDS.... Actually, good to do IDS on internal LAN (looking for all the potential badness....for inside...) Hope this helps. -Bye Joe McGean Allianz, Ireland Security Team ******************************************************************** Please Note: Our e-mail address is now 'allianz.ie' Visit our website at http://www.allianz.ie Disclaimer : The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not have been sent with the authority of the company. If the reader of this message is not the named recipient or a person responsible for delivering it to the named recipient, you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is strictly prohibited. If you have received this communication in error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance. ******************************************************************** ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= If you have any questions on how to change your subscription options, email Ron Alcatraz at: [email protected] =================================================
|