Monday, May 4, 2009

Monitoring home networks with bare bones

Network monitoring and intrusion detection are done at many different levels now: individual computer, home networks, small networks, larger networks, ISP backbones. There are literally network taps, network prefilters, firewalls, contextual search engines and intrusion detection systems, analyzers for every budget and bandwidth. But still, ghostnets happen , even in supposedly secure locations.  Simply put, current attack vectors outfox existing security installations! But without hashing over all the existing technologies, checking out your network at a raw level looks something like this:



Your primitive tools are Cygwin, tcpdump4.0 , Snort, NM 3.3, syslogd, bash shell, pcregrep, a hub, an updated router/firewall, XWindows running on one or more of Linux, OpenBSD, or Windows XP. Your assignment is to redirect the traffic coming to your external router to a "tap" (or in this cheapest case a hub) and monitor it for unwarranted traffic and attempted intrusions.  If you have a reliable hardware firewall, it will output messages of your choosing to a correctly configured syslogd that accepts remote connections:

grep rferris syslog
May  5 01:49:04 192.168.0.1 rferris [61282]:TCP(19590)                 Dest IP :98.247.182.78,         Src IP  :85.13.200.108
May  5 01:49:04 192.168.0.1 rferris [61283]:HTTP(80)                 Dest IP :74.125.127.191,         Src IP  :192.168.0.8
May  5 01:49:04 192.168.0.1 rferris [61284]:TCP(19591)                 Dest IP :98.247.182.78,         Src IP  :74.125.127.191
May  5 01:50:21 192.168.0.1 rferris [61285]:TCP(19591)                 Dest IP :98.247.182.78,         Src IP  :74.125.127.191
May  5 01:50:29 192.168.0.1 rferris [61286]:HTTP(80)                 Dest IP :74.125.127.191,         Src IP  :192.168.0.8
May  5 01:50:29 192.168.0.1 rferris [61287]:TCP(19609)                 Dest IP :98.247.182.78,         Src IP  :74.125.127.191
May  5 01:51:29 192.168.0.1 rferris [61288]:TCP(19609)                 Dest IP :98.247.182.78,         Src IP  :74.125.127.191
May  5 01:52:06 192.168.0.1 rferris [61289]:POP3(110)                 Dest IP :76.96.30.119,         Src IP  :192.168.0.9
May  5 01:52:06 192.168.0.1 rferris [61290]:TCP(20129)                 Dest IP :98.247.182.78,         Src IP  :76.96.30.119
May  5 01:53:06 192.168.0.1 rferris [61291]:TCP(20129)                 Dest IP :98.247.182.78,         Src IP  :76.96.30.119

 grep -i hacker syslog 
May  4 08:22:13 192.168.0.1 rferris Hacker Log[58760]:PROTO_TCP, SIP:61.164.116.52: 6000, DIP:98.247.182.78: 2967, Suspicious TCP Data
May  4 09:08:00 192.168.0.1 rferris Hacker Log[59132]:PROTO_UDP, SIP:84.237.112.4: 1046, DIP:98.247.182.78: 38507, Suspicious UDP Data
May  4 10:23:27 192.168.0.1 rferris Hacker Log[59292]:PROTO_TCP, SIP:123.10.44.80: 2205, DIP:98.247.182.78: 18448, Suspicious TCP Data
May  4 10:32:33 192.168.0.1 rferris Hacker Log[59294]:PROTO_TCP, SIP:121.14.152.130: 6000, DIP:98.247.182.78: 1433, Suspicious TCP Data
May  4 10:44:45 192.168.0.1 rferris Hacker Log[59298]:PROTO_UDP, SIP:173.8.113.195: 3193, DIP:98.247.182.78: 1434, Suspicious UDP Data
May  4 10:47:32 192.168.0.1 rferris Hacker Log[59300]:PROTO_UDP, SIP:93.5.92.78: 1137, DIP:98.247.182.78: 12712, Suspicious UDP Data

But firewalls don't catch and catalog all the packets, So you will need to filter and trap them, perhaps with  tcpdump  set of filters like so:

/usr/local/sbin/tcpdump -ntttvvveXX -i xl0 -s 65535 host [your leased IP] and not arp or icmp or igmp and 'port not (bootpc or domain or pop3 or whois or http or https)' and  'host not (wf-in-f125.google.com or cns.beaverton.or.bverton.comcast.net or 73.98.100.1)' >> `date "+%b%e%H%M%S%Z%Y"`

And after you have captured your filtered traffic, you may need more filtering to extract a list of IPs:

grep seq May\ 3115119PDT2009 | grep -v -f file | awk -F ">" '{print $1}' | more
$ more file
DHCP
ICMP
POP3
DIP

Thus we have a literal boom in the network security business to make this type of data collection easier, more intuitive, more suitable for today's level of traffic: taps, filters, IDS/IPS devices, filtering Firewalls with IDS functionality, protocol analyzers, etc.  But at some point first before you deploy any of this, you are going to want to break ground and sit and watch traffic, so you viscerally understand the threats, attack vectors, sniffers and firewalls


No comments:

Post a Comment