tags:

views:

1335

answers:

8
+4  Q: 

Sniffing network traffic for signs of viruses/spyware

How can I connect a system to a network and sniff for virus/spyware related traffic? I'd like to plug in a network cable, fire up an appropriate tool sand have it scan the data for any signs of problems. I don't expect this to find everything, and this is not to prevent initial infection but to help determine if there is anything trying to actively infect other system/causing network problems.

Running a regular network sniffer and manually looking through the results is no good unless the traffic is really obvious,but I havn't been able to find any tool to scan a network data stream automatically.

+3  A: 

You can make Snort scan traffic for viruses. I think this will be the best solution for you.

Jerub  2008-09-24 00:36:49
+5  A: 

I highly recommend running Snort on a machine somewhere near the core of your network, and span (mirror) one (or more) ports from somewhere along your core network path to the machine in question.

Snort has the ability to scan network traffic it sees, and automatically notify you via various methods if it sees something suspicious. This could even be taken further, if desired, to automatically disconnect devices, et cetera, if it finds something.

Dominic Eidson  2008-09-24 00:37:08
+5  A: 

  1. Use snort: An open source network intrusion prevention and detection system.

  2. Wireshark, formerly ethereal is a great tool, but will not notify you or scan for viruses. Wireshark is a free packet sniffer and protocol analyzer.

  3. Use the netstat -b command to see which processes have which ports open.

  4. Use CPorts to see a list of ports and the associated programs, and have the ability to close those ports.

  5. Download a free anti-virus program such as free AVG.

  6. Setup your firewall more tightly.

  7. Setup a gateway computer to let all network traffic go through. Take the above recommendataions to the gateway computer instead. You will be checking your whole network instead of just your one computer.

Brian R. Bondy  2008-09-24 00:39:44
A: 

The problem with that approach is that most networks today are on switches, not hubs. So, if you plug a machine with a packet sniffer into the switch, it will only be able to see traffic to and from the sniffing machine; and network broadcasts.

Ferruccio  2008-09-24 00:42:59
Spanning (mirroring) a major backbone circuit solves this issue. Regardless of whether it's a switch or not.
Dominic Eidson  2008-09-24 00:50:55
I didn't know that. What kind of hardware do you need to make that work? Is it all in the switch?
Ferruccio  2008-09-24 00:53:13
Yes, it's a function of the switch. Most modern managed (as opposed to "dumb") switches have this capability.
Dominic Eidson  2008-09-24 00:55:25
So, as long as you're on a managed switch and the IT department will let you touch it, this can work.
Ferruccio  2008-09-24 01:06:20
I would expect anyone to ask this question to at least in some form, be responsible for the network, or work with people who are responsible for the network. IDS/security often go hand in hand with maintaining the network :)
Dominic Eidson  2008-09-24 03:10:28
A: 

As a followup to Ferruccio's comment you will need to find some method of getting around your switches.

A number of network switches have the option of setting up port mirrors, so that all traffic (regardless of the destination) will be copied, or "mirrored", to a nominated port. If you could configure your switch to do this then you would be able to attach your network sniffer here.

Andrew Edgecombe  2008-09-24 00:48:13
+2  A: 

For watching local network traffic your best bet (with a decent switch) is to set your switch to route all packets out a specific interface (as well as whatever interface it would normally send). This lets you monitor the entire network by dumping traffic down a specific port.

On a 100 megabit network, however, you'll want a gigabit port on your switch to plug it into, or to filter on protocol (e.g. trim out HTTP, FTP, printing, traffic from the fileserver, etc.), or your switch's buffers are going to fill up pretty much instantly and it'll start dropping whatever packets it needs to (and your network performance will die).

Dan Udey  2008-09-24 01:03:29
A: 

Network Magic, if you don't mind something that's not open source.

MrBoJangles  2008-09-24 01:46:05
A: 

You can use an IDS, hardware or software http://en.wikipedia.org/wiki/Intrusion-detection_system

UndertheFold  2008-10-28 04:41:24

related questions

Scalable socket event queue processing
Having trouble achieving 1Gbit UDP throughput
Map 192.168.0.10 to 127.0.0.1 on windows
What's the best CDN for image hosting on a high-volume web site?
How do I stop network flooding using Windows 2003 Network Load balancing?
Testing network interrupts in software
Loading Assemblies from the Network
Should I use a dedicated network channel between the database and the application server?
Push or Pull for a near real time automation server?
Best tool to monitor network connection bandwidth
Track down where packets are being blocked/droped
Determining members of local groups via C#
Dealing with Latency in Networked Games
Tool for degrading my network connection?
What's the idiomatic way to do async socket programming in Delphi?
How to avoid pauses when editing code on a network drive?
Revoke shared folders in windows
Reconnect logic with connectivity notifications
Maximum buffer length for sendto?
Configure a Java Socket to fail-fast on disconnect?
Sockets in Pascal
Windows/C++: How do I determine the share name associated with a shared drive?
In C++/Windows how do I get the network name of the computer I'm on?
Using VM to get around VPN restrictions
Error ADMA5026E for WebSphere Application Server Network Deployment