- Advisory services
- Consultations
- Network and technology policies
- Network and technology service docs
- Using Jisc community
- Network and technology service docs
- Domain name registration
- How to sign up
- Janet Support Manual
- Janet CSIRT
- Back-up services
- eduroam
- Backup Web Hosting
- Certificate Service
- Connection timeline
- Eligibility
- Janet 3G Buyer's Guide
- Janet 3G eduroam interoperablity authentication methods
- Janet Mail Services
- Janet Network Charges
- Janet Reach
- Janet Videoconferencing Feedback results
- Primary connections
- Supporting Business Continuity
- Business and Community Engagement (BCE) using Janet
- Cost
- Interconnect connections
- Connecting student accommodation
- Customer-owned routing equipment
- Obtaining a Janet IP Address Range
- Terms for the Provision of the Janet Service
- Upgrading your existing bandwidth and Janet router
- Fault reporting
- IP address assignment
- Janet Aurora
- Janet Netsight
- Janet txt
- Routers
- Network set-up
- Guest access
- Network time service
- Training
- Contact
- Primary Nameserver Service
- Secondary Nameserver Service
- Vscene
- Janet CSIRT
- About CSIRT
- Technical advice
- Reporting abuse
- Security advice
- Technical advice
- "Fake" colleges
- Blocking LAN service ports
- DNS Resolver configuration
- Dealing with worms or viruses
- Guidelines for Handling Illegal Material
- How to block or sinkhole domains in BIND
- How to block or sinkhole domains in Windows Server 2008
- Investigating SSH port scans
- Investigating a Denial of Service attack
- Janet CSIRT use of NetFlow data
- Janet Network Security Incident Classification Scheme
- Penetration testing
- Securing networked computers
- Seven steps to secure ntp servers from DDoS attacks
- Spam bounces considered harmful
- Investigating a Denial of Service attack
- Network infrastructure
- The network monitor
- What we saw
- Aftermath
- References
The network monitor
Download as PDFOur monitor is a Linux system running the Snort lightweight intrusion detection system [3]. Demands on hardware are not very high: we use a redundant Pentium 133-based system with two 10/100Mbit/s network interface cards, 128MB memory and 4GB disk space. This allows us to use one interface to access the console, while the other is dedicated to the RSPAN traffic. It is configured with a minimum number of services running and no user accounts [4].
Snort is basically a packet sniffer for which a library of network attack signatures is available. It uses signatures in much the same way that most anti-virus software uses them, to recognise patterns in viral code. Snort is not really stateful, and normally analyses packets independently of each other. Preprocessor plugins can be used to extend functionality, for example to detect port scans.
Suspecting that IP spoofi ng might be involved, we want to preserve layer 2 addressing information. This is often critical in identifying the true source of spoofed traffic, as most spoofi ng occurs at layer 3 (IP), rather than at layer 2 (the MAC address). To this end, we can invoke Snort with the following command line options:
[root@monitor]# snort -D -N -e -i eth1 -c ./08292k.rules -l ./logs
The meanings of the options are as follows:
|
-D |
run in background (as a daemon) |
|
-N |
do not attempt to log packet payload |
|
-e |
record layer 2 information |
|
-i eth1 |
read packets from interface eth1 |
|
-c ./08292k.rules |
name of file containing attack signatures |
|
-l ./logs |
write log fi les to this directory |
