Jump to content

Noob question about network monitoring


postdiction
 Share

Recommended Posts

Hi, I am new to the forums but, not the sho

I have strong cs background but little to no knowledge of network security.

I have a spare pentium 3 box which i could add 2 nics to and use this as network monitor. I don't want to use this box as a firewall (ie smoothwall) rather, I wanted to use as a system to monitor incoming and out going traffic for viruses, spyware etc... I have people over at my place often, friends and family. Invariablly, when I let people on my network, my xp box gets infected with something or the other. Now I usually just wipe it clean and rebuild it however, I get worried sometimes because I like to do online banking and bill paying.

Thus, I want a system that can alert me once something malicious has gotten on my network. I believe this box would sit between my cable modem and wireless router monitoring for spyware, root kits etc... I am not sure but would that be considered intrusion detection????

I can usually spot spyware because i have a good idea of what is running on my system however, what really scares me is root kits.

So anybody have suggestions to where I should look?

thanks in advance.

Link to comment
Share on other sites

What you would need to do is setup a proxy (transparent or other wise) which downloads the files on behalf of the client and scans them for viruses.

Difficulty 1: The choice of virus scanner isn't exactly easy. ClamWin might be ok, but it's pretty behind on the definitions.

Difficulty 2: This won't actually fix the problem you are looking at. The problem seems to be that when people come to your house and they connect to your network there computers infect yours. So the viruses (or what ever) aren't coming in through the internet, they are walking in the front door. The fix for this is to have two separate networks. One for 'untrusted' computers, and one for 'trusted'.

Link to comment
Share on other sites

Appreciate the responses guys.

I guess i am resigned to the fact that my xp system is going to get infected.

I just want to know when my pc becomes infected without having to trust a virus scanner on the xp system itself.

The reason, I say that is because, root kits can be invisible even from the best spyware scanners.

However, I was thinking if I have an independent box monitoring my network/xp box then, I can trust the results a little more.

Thanks

Link to comment
Share on other sites

A. Use Linux

B. Use a guest account with Steady State

C. Find out what they are doing on YOUR internet

D. Dont let them use YOUR computer

E. Before the come over block ports used for P2P and Torrents

F. Use a program to monitor changes that have occured in the reg or Sys32 folder, hash the folder and compare regularly.

Link to comment
Share on other sites

http://www.snort.org/

What is Snort?

SNORTĀ® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.

FFS people, this should have been post 1.

Link to comment
Share on other sites

http://www.snort.org/

FFS people, this should have been post 1.

This will not protect against incoming viruses though... will it? "intrusion prevention and detection" means protecting from another computer trying to remotely access the user's computer right? This might help against Trojans and such but not against system destroying viruses...

Link to comment
Share on other sites

This will not protect against incoming viruses though... will it? "intrusion prevention and detection" means protecting from another computer trying to remotely access the user's computer right? This might help against Trojans and such but not against system destroying viruses...

Actually, I snort does seem like what I want. It have just downloaded it and am starting to read about it but, it looks promising. I am not so worried about my system being destroyed as it is easy enough to re-image it. What I am concerned about is monitoring my network so I can be alerted when things go bad and I haven't detected the problem myself.

Thank-you for pointing me in this direction.

Link to comment
Share on other sites

This will not protect against incoming viruses though... will it? "intrusion prevention and detection" means protecting from another computer trying to remotely access the user's computer right? This might help against Trojans and such but not against system destroying viruses...

Intrusion prevention systems are not the same as intrusion detection systems.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...