| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] sniffing network
Talking about ids.....
What is your opinion on black ice???
Thanx 4 the reply, by the way
-----Original Message-----
From: Joe McGean [SMTP:[email protected]]
Sent: 11 December 2001 19:15
To: [email protected]
Subject: Re: [FW-1] sniffing network
Hi,
You said:
#I have just started with a new company and to my horror discovered
that the
#network has been infested with sniffers and probes.
#Conventual anti virus software does not detect these encoutered,
any ideas
#how I could go about combating these bastards????
#I have been able to find out whre most of them are, but failed to
get rid of
#them.
What is the gig with the 'taps'
Shomiti Surveyor or Fluke type network
traffic monitoring/troubleshooting gear??
In situations where active sniffers are in place on a network, for
whatever reason, it is standard practice to have a 'cron job'
Shell script send tasty login traffic to a Null auth server
( Telnet service, IMAP, POP3, etc not being used for anything else).
For
example:
username: very important person
password: really qrypt out password
Have a few of these 5 to 10, spawned every 15 to 25 min
and create Snort rules, to parse out source, then monitor to
see if folks are actually listening to traffic off the wire and
trying
to use that info....basically that is all you can do within the
context you describe.
You can get complex, random IPs, spoof source IPs in origination
messages filter out cron spawned traffic from, etc....
But, like that was back in the day, now we have VLANs :O
(no yeah, know that VLANs can be jumped and sniffed and they
should not be used, or relied upon, as a security device as they
are a network function...but it is something you can do to segment
traffic...and can be used if you know and understand the
limitations).
However, if the 'taps' are in place for troubleshooting VLANs
more than likely will not be a welcome addition by the owners of the
'taps'
So you are back to the whole, spoofed tasty traffic and monitoring
via IDS....
Actually, good to do IDS on internal LAN (looking for all the
potential badness....for inside...)
Hope this helps.
-Bye
Joe McGean
Allianz, Ireland
Security Team
********************************************************************
Please Note:
Our e-mail address is now 'allianz.ie'
Visit our website at http://www.allianz.ie
Disclaimer :
The information contained and transmitted in this e-mail is
confidential information, and is intended only for the
named recipient to which it is addressed. The content of
this e-mail may not have been sent with the authority of
the company. If the reader of this message is not the
named recipient or a person responsible for delivering it
to the named recipient, you are notified that the review,
dissemination, distribution, transmission, printing or copying,
forwarding, or any other use of this message or any part of
it, including any attachments, is strictly prohibited. If you
have received this communication in error, please delete
the e-mail and destroy all record of this communication.
Thank you for your assistance.
********************************************************************
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
If you have any questions on how to change your
subscription options, email Ron Alcatraz at:
[email protected]
=================================================
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
If you have any questions on how to change your
subscription options, email Ron Alcatraz at:
[email protected]
=================================================
|
|
