[Durham] Automating a network sniffer

Dougie Nisbet dougie at highmoor.co.uk
Mon Nov 1 09:28:55 UTC 2010


Thanks Richard. Snort looks really promising. (I haven't got past snort 
-v yet though!)

I tried using the gateway option but I get an error about it not being 
available in the configuration. I'll settle down and have a read of the 
docs later.

Dougie

On 01/11/2010 08:54, Richard Patterson wrote:
> Do you run Windows at all?
>
> Do you have a Linux based gateway box, you could have a look at Snort, SnortSnarf and NTop
>
> On my Linux firewall, I run squid with adzapper (filters out banners, adverts and malicious scripts, etc), which logs all requests anyway... You might want to look into this too...
>
> Hope this helps
>
> Richard
>
>
> Richard Patterson
> Mobile: 07921 512 459
>
>
>
> HelpQuick Ltd
> The headquarters of
> innovative IT solutions
>
> Office: 0191 2582888, Fax: 0191 6408666
> Web: http://www.helpquick.co.uk
>
> Have you used our services? Why not write a review on the FreeIndex website
>
> HelpQuick Limited, Registered in England&  Wales, Company number
> 5334746, Vat registration number: 859 6133 89, Registered office:
> 18 Camden Square, North Shields, NE30 1NR, UK
>
>
> -----Original Message-----
> From: durham-bounces at mailman.lug.org.uk [mailto:durham-bounces at mailman.lug.org.uk] On Behalf Of Dougie Nisbet
> Sent: 01 November 2010 08:44
> To: Durham at mailman.lug.org.uk
> Subject: [Durham] Automating a network sniffer
>
> I've got a mystery. Abuse alerts from Zen suggesting a rootkit exploit.
> All my PCs are clean and I can't find anything amiss.
>
> Abuse report:
>
> For more information on this report please visit http://www.shadowserver.org/wiki/pmwiki.php/Services/Sinkhole-HTTP-Drone
>
>
> Asn: 13037
> Geo: UK
> Url: GET / HTTP/1.1
> Type:
> Http_agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.11)
> Gecko/20101012 Firefox/3.6.11 ( .NET CLR 3.5.30729; .NET4.0C)
> Tor:
> Src_port: 26691
> P0f_genre: Windows
> P0f_detail: 2000 SP4, XP SP1+
> Hostname:
> Dst_port: 80
> Http_host: 87.106.24.200
> Http_referer:
> Http_referer_asn:
> Http_referer_geo:
> Dst_ip: 87.106.24.200
> Dst_asn: 8560
> Dst_geo: DE
>
>
> How much of this is likely to be reliable? I don't run MS XP or 2000 for
> example.
>
> Anyway my question is; I'd like to set up a network sniffer on my LAN
> with a rotating logfile. A few days if possible. I've had a look at
> wireshark and thought it looked promising but I can't figure out how to
> configure it to run out of a cron job and to close its data file each
> day and re-open a new one. Would I be better looking at tcpdump or
> tshark? I realise that the volumes may make this unrealistic anyway but
> I think I could probably get a couple of day's worth in a logfile or
> two. Can anyone offer an off-the-shelf command line/cron job that might
> do it?
>
> Thanks,
>
> Dougie
>
>
> _______________________________________________
> Durham mailing list   -   Durham at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/durham
> http://www.nelug.org.uk/
>
> _______________________________________________
> Durham mailing list   -   Durham at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/durham
> http://www.nelug.org.uk/
>




More information about the Durham mailing list