|
Posted by ZVR on February 15, 2006, 5:20 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> I`m not sure if interpretation what I do about malicious traffic
> (external/internal) is correct or maybe this concept is very subjective or
> complex.
It is both complex and subjective, i.e. everybody has their own standards.
What a bank might consider malicious/unwanted traffic is not necessarily the
same with a gaming outfit.
> Anyway, I understand for malicious traffic like all traffic
> (external/internal) able to go against good use of resources afecting
> performance, services, ..., between one or more machines and can be
> intended
> (e.g. virus/trojans) or unintended (e.g. bugs, misconfiguration, p2p).
See above. Obviously your definition of malicious traffic is more extensive
than others'.
> I've read about network analyzers/monitoring like sniffers and MS Network
> Monitor/Ethereal tools between others like ISA logs BUT once inside of
> them
> I can`t identify malicious traffic.
With network monitoring tools like Ethereal or MS's own network monitor you
*have* to know what you're looking for in the first place. They are packet
capture and decoding tools which can give you an insight about the data
being exchanged within your network but you need to be able to interpret
that data in a way that makes sense to you. Experienced people would just
look at such data and instantly figure out the originating application.
Obviously if you're a newcomer to network monitoring there will be a lot of
reading involved.
> I have spoke with experts in matter and always they recommend to use
> sniffers and similar tools but to the question "how can I identify
> malicious
> traffic once inside of them utilities?" they respond vaguely and
> evasively.
That is because there is no "universal" answer to your question. Each tool
is different. Ethereal for example being free, lacks features that can be
found in (very) expensive network monitoring and analysis suites. Such
suites do include the part you're inquiring about - they will automatically
analyze the data streams for you and provide you with excellent reports
about the type and distribution of traffic within your network. They would
even tell you things like whether you have machines infected with worms like
Code Red/Nimda - because that traffic will be caught, analyzed, and
identified based on unique patterns and signatures.
Which brings us to your next question.
> Have this traffic some clue (protocol, port, frame, size, ...) that help
> to
> identify it?
Yes every application has its own signature which is like a unique
fingerprint. This signature is most often, but not always, linked to the
protocols and ports the application is using. Some applications can actually
disguise themselves by using other ports/protocols, but even then the
content and structure of the packets being exchanged are give-aways. As I
said you need to either invest a lot of time in learning how to
spot/identify these unique signatures or invest in good tools that can do
that for you in a practical manner. Depending on their scope such tools can
be reffered to as IDS - intrusion detection systems.
One suggestion I can offer if you're looking to get your feet wet via a
"freeware" approach to IDS/network security, would be SNORT which is an
excellent package that does exactly that. At times you will lack the
sofistication and user friendliness of some of the commercial offerings in
this field, but the time spending on learning how to leverage SNORT will be
well worth it in the long run, that's for sure.
You can read about SNORT here:
http://www.snort.org/about_snort/
Oh, and one more thing: SNORT originates from the Unix/Linux world. It can
be run on Windows if you feel so inclined, although the Win32 port has
certain limitations, plus many plugins and addons developed by the security
community are only available for *nix. Regardless of that it still makes up
for an excellent tool.
A good resource for running SNORT under Win32 is the SANS FAQ:
http://www.sans.org/resources/idfaq/snort.php
Hope this helps,
Virgil
| 
XML site map