[dundee] IPCOP, etc.
R J Ladyman
it at file-away.co.uk
Fri May 9 09:35:26 BST 2008
Further to the tools I was wittering on at the LUG meeting last night (I
didn't ask the gentleman's name, sorry):
Inline analysis: you can make IPCOP your gateway or just insert it between
your current egress and your network, for the period of analysis.
IPCOP and some of its relations:-
IPCOP: http://www.ipcop.org/
Addons for IPCOP are listed here:
http://www.ipcop.org/index.php?module=pnWikka&tag=IPCopAddons
Squid Log analysis: squint and calanal (more are listed on the IPCOP site)
You can also grep through the squid.log for particular sites/addresses which
will allow you to detect infected machines (or at least, the IP in use at the
time).
Copfilter addon for IPCOP: http://www.copfilter.org/
Soho shaper:
http://www.smidsrod.no/products/firewall/supershaper/SuperShaper-SOHO
Set your uplink speed and increase the divisor for the problem protocols.
Protocol blocker: http://mh-lantech.css-hamburg.de/ipcop/download.php?view.151
...but remember the caveats about blocking - throttling is better than
complete strangulation (sometimes).
Squid IP-address destination detection:
acl dottedaddress url_regex ^[^:]*://([^/@]*@)?[0-9\.]*(:|/|$|\?) ^[0-9\.]*$
and then deal with the acl (dottedaddress) accordingly (e.g. deny CONNECT or
whatever).
For a piggyback analysis: tcpdump and wireshark (it used to be called
ethereal).
Also, I would recommend:
Practical TCP/IP
Niall Mansfield
Addison-Wesley
ISBN 0-201-75078-3
which details a number of physical configurations for monitoring and analysis,
using both *nux and Windows machines.
--
Robert Ladyman
File-Away Limited, 32 Church Street,Newtyle
Perthshire, PH12 8TZ SCOTLAND
Registered in Scotland, Company Number: SC222086
Tel: +44 (0) 1828 898 158
Mobile: +44 (0) 7732 771 649
VOIP: 7714336 at sipgate.co.uk
http://www.file-away.co.uk
More information about the dundee
mailing list