[dundee] IPCOP, etc.

Lee Hughes toxicnaan at yahoo.co.uk
Tue May 13 14:19:12 BST 2008


yeah, IPCOP, it's allright...
but you'll find pfsense makes more sense.

try it out.



R J Ladyman <it at file-away.co.uk> wrote: Further to the tools I was wittering on at the LUG meeting last night (I 
didn't ask the gentleman's name, sorry):

Inline analysis: you can make IPCOP your gateway or just insert it between 
your current egress and your network, for the period of analysis.

IPCOP and some of its relations:-

IPCOP: http://www.ipcop.org/
Addons for IPCOP are listed here: 
http://www.ipcop.org/index.php?module=pnWikka&tag=IPCopAddons

Squid Log analysis: squint and calanal (more are listed on the IPCOP site)
You can also grep through the squid.log for particular sites/addresses which 
will allow you to detect infected machines (or at least, the IP in use at the 
time). 

Copfilter addon for IPCOP: http://www.copfilter.org/

Soho shaper: 
http://www.smidsrod.no/products/firewall/supershaper/SuperShaper-SOHO
Set your uplink speed and increase the divisor for the problem protocols.

Protocol blocker: http://mh-lantech.css-hamburg.de/ipcop/download.php?view.151
....but remember the caveats about blocking - throttling is better than 
complete strangulation (sometimes).

Squid IP-address destination detection:

acl dottedaddress url_regex ^[^:]*://([^/@]*@)?[0-9\.]*(:|/|$|\?) ^[0-9\.]*$

and then deal with the acl (dottedaddress) accordingly (e.g. deny CONNECT or 
whatever).

For a piggyback analysis: tcpdump and wireshark (it used to be called 
ethereal).


Also, I would recommend:

Practical TCP/IP
Niall Mansfield
Addison-Wesley
ISBN 0-201-75078-3

which details a number of physical configurations for monitoring and analysis, 
using both *nux and Windows machines.


-- 

Robert Ladyman
File-Away Limited, 32 Church Street,Newtyle
Perthshire, PH12 8TZ SCOTLAND
Registered in Scotland, Company Number: SC222086
Tel: +44 (0) 1828 898 158
Mobile: +44 (0) 7732 771 649
VOIP: 7714336 at sipgate.co.uk

http://www.file-away.co.uk


_______________________________________________
dundee GNU/Linux Users Group mailing list
dundee at lists.lug.org.uk  http://dundee.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/dundee
Chat on IRC, #tlug on dundee.lug.org.uk


       
---------------------------------
Sent from Yahoo! Mail.
A Smarter Email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/dundee/attachments/20080513/2f7aacba/attachment.html


More information about the dundee mailing list