[dundee] IPCOP, etc.
Lee Hughes
toxicnaan at yahoo.co.uk
Tue May 13 14:19:12 BST 2008
yeah, IPCOP, it's allright...
but you'll find pfsense makes more sense.
try it out.
R J Ladyman <it at file-away.co.uk> wrote: Further to the tools I was wittering on at the LUG meeting last night (I
didn't ask the gentleman's name, sorry):
Inline analysis: you can make IPCOP your gateway or just insert it between
your current egress and your network, for the period of analysis.
IPCOP and some of its relations:-
IPCOP: http://www.ipcop.org/
Addons for IPCOP are listed here:
http://www.ipcop.org/index.php?module=pnWikka&tag=IPCopAddons
Squid Log analysis: squint and calanal (more are listed on the IPCOP site)
You can also grep through the squid.log for particular sites/addresses which
will allow you to detect infected machines (or at least, the IP in use at the
time).
Copfilter addon for IPCOP: http://www.copfilter.org/
Soho shaper:
http://www.smidsrod.no/products/firewall/supershaper/SuperShaper-SOHO
Set your uplink speed and increase the divisor for the problem protocols.
Protocol blocker: http://mh-lantech.css-hamburg.de/ipcop/download.php?view.151
....but remember the caveats about blocking - throttling is better than
complete strangulation (sometimes).
Squid IP-address destination detection:
acl dottedaddress url_regex ^[^:]*://([^/@]*@)?[0-9\.]*(:|/|$|\?) ^[0-9\.]*$
and then deal with the acl (dottedaddress) accordingly (e.g. deny CONNECT or
whatever).
For a piggyback analysis: tcpdump and wireshark (it used to be called
ethereal).
Also, I would recommend:
Practical TCP/IP
Niall Mansfield
Addison-Wesley
ISBN 0-201-75078-3
which details a number of physical configurations for monitoring and analysis,
using both *nux and Windows machines.
--
Robert Ladyman
File-Away Limited, 32 Church Street,Newtyle
Perthshire, PH12 8TZ SCOTLAND
Registered in Scotland, Company Number: SC222086
Tel: +44 (0) 1828 898 158
Mobile: +44 (0) 7732 771 649
VOIP: 7714336 at sipgate.co.uk
http://www.file-away.co.uk
_______________________________________________
dundee GNU/Linux Users Group mailing list
dundee at lists.lug.org.uk http://dundee.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/dundee
Chat on IRC, #tlug on dundee.lug.org.uk
---------------------------------
Sent from Yahoo! Mail.
A Smarter Email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/dundee/attachments/20080513/2f7aacba/attachment.html
More information about the dundee
mailing list