[Durham] Automating a network sniffer

Richard Patterson Richard at helpquick.co.uk
Mon Nov 1 08:54:47 UTC 2010 

Do you run Windows at all?

Do you have a Linux based gateway box, you could have a look at Snort, SnortSnarf and NTop

On my Linux firewall, I run squid with adzapper (filters out banners, adverts and malicious scripts, etc), which logs all requests anyway... You might want to look into this too...

Hope this helps

Richard


Richard Patterson
Mobile: 07921 512 459



HelpQuick Ltd
The headquarters of
innovative IT solutions

Office: 0191 2582888, Fax: 0191 6408666
Web: http://www.helpquick.co.uk

Have you used our services? Why not write a review on the FreeIndex website

HelpQuick Limited, Registered in England & Wales, Company number
5334746, Vat registration number: 859 6133 89, Registered office:
18 Camden Square, North Shields, NE30 1NR, UK


-----Original Message-----
From: durham-bounces at mailman.lug.org.uk [mailto:durham-bounces at mailman.lug.org.uk] On Behalf Of Dougie Nisbet
Sent: 01 November 2010 08:44
To: Durham at mailman.lug.org.uk
Subject: [Durham] Automating a network sniffer

I've got a mystery. Abuse alerts from Zen suggesting a rootkit exploit. 
All my PCs are clean and I can't find anything amiss.

Abuse report:

For more information on this report please visit http://www.shadowserver.org/wiki/pmwiki.php/Services/Sinkhole-HTTP-Drone


Asn: 13037
Geo: UK
Url: GET / HTTP/1.1
Type:
Http_agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.11) 
Gecko/20101012 Firefox/3.6.11 ( .NET CLR 3.5.30729; .NET4.0C)
Tor:
Src_port: 26691
P0f_genre: Windows
P0f_detail: 2000 SP4, XP SP1+
Hostname:
Dst_port: 80
Http_host: 87.106.24.200
Http_referer:
Http_referer_asn:
Http_referer_geo:
Dst_ip: 87.106.24.200
Dst_asn: 8560
Dst_geo: DE


How much of this is likely to be reliable? I don't run MS XP or 2000 for 
example.

Anyway my question is; I'd like to set up a network sniffer on my LAN 
with a rotating logfile. A few days if possible. I've had a look at 
wireshark and thought it looked promising but I can't figure out how to 
configure it to run out of a cron job and to close its data file each 
day and re-open a new one. Would I be better looking at tcpdump or 
tshark? I realise that the volumes may make this unrealistic anyway but 
I think I could probably get a couple of day's worth in a logfile or 
two. Can anyone offer an off-the-shelf command line/cron job that might 
do it?

Thanks,

Dougie


_______________________________________________
Durham mailing list   -   Durham at mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/durham
http://www.nelug.org.uk/

More information about the Durham mailing list