Snort / Suricata Network Topology - Is this acceptable? - networking

I run a small business network with around a 500mbit Internet connection and want to introduce an NIPS (network intrusion prevention system). I have identified SNORT or SURICATA as the software of choice (and maybe Zeek which I know less about). Perhaps with PFSense etc. TBD.
Wifi is heavily used in the business, as is standard Windows LAN-cable PCs. Currently our basic Router/Modem handles everything.
CURRENT network topology:
INTERNET ==> Existing ADSL-like Router/Modem (with DHCP + wifi) ==> Office network infrastructure etc
I want to insert a basic Linux box with 2 or four cores + 4GB of ram and a basic 1gbps network card for this SNORT/SURICATA box, before the Internet router.
I want to confirm the following is a good means to go about introducing NIPS:
DESIRED network topology:
INTERNET ==> Existing ADSL-like Router/Modem (disable wifi) ==> SNORT/SURICATA Linux Box ==> Spare Standard ADSL-like Router/Modem with DHCP + Wifi enabled ==> Office network infrastructure etc.
Question: Will this setup allow the SNORT/SURICATA box (given default settings / nothing fancy enabled) to:
Track LAN source IP address of WAN traffic, both outgoing and incoming. I.e. Torrent connection between "Local Computer LAN IP and Remote IP" -, not "Router IP and Remote IP"
Ability to login to SNORT/SURICATA box (no subnet craziness - at least not super hard to resolve problems)
Any gotchas here?
Note this is for a small business with 20 employees, not 300 etc. Conforming to every best practice is impractical at this size.
I am not keen on adding a WIFI network card to said Linux box. The reason is, in a crisis, I want to be able to unplug the snort box and connect the two routers together and immediately provide Internet to the office in case the box goes down for whatever reason (bad snort rules, hard drive dies etc). Also, router/modems need clicks to get connectivity going - I don't need to load up Putty, which would be very hard for anyone else to deal with, if I am not available.
Thanks for the help!

The setup that you are trying to accomplish can easily be done by install a pfSense box (2-4 cores and 4 GB RAM). You can choose the hardware spec from the below link:
https://docs.netgate.com/pfsense/en/latest/book/hardware/index.html
Configure suricata to run in inline IPS mode and you will be good to go. You can anytime ask for assistance while configuring suricata.

Related

Can't access device through network

I'm trying to interface a device with python.
The device is connected to another machine in the same network (the university network) and I know it's Port number.
I can access the device from the PC where it is plugged with the following code:
dev = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
dev.connect(('137.195.53.140',51019))
where '137.195.53.140' is the PC ip, and 51019 is the port number.
However, if I try the same from another machine, ipython gets stack at the command "dev.connect(('137.195.53.140',51019))", and when I abort the evaluation and then look at "dev" I get this:
<socket.socket fd=15, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=0, laddr=('137.195.204.85', 50393)>
where '137.195.204.85' is the IP of the machine I'm using, and the port number I've no idea.
Since ssh works with no problem within this network, I thought that my approach for accessing the device would have worked as well.
Does anyone have any clue for this? I'm sorry if I haven't been clear, but I know absolutely nothing of networking (and not very much of Python either tbh).
There's couple of things to consider:
Your university network ports
Your device's opened ports
Your network might have the 51019 port blocked. Also, ssh uses port 22 to make it's connection. Every port is a world, so there's the chance that just because 22 is open, it doesn't mean that another is. School networks usually have a pretty rigid policy on port closing for security and blocking unwanted sites too.
You can test your device access by pinging it as
$ ping 137.195.204.85
If that works, then you can go trying different ports

How Network Monitoring System measure Network Traffic

I'm going to develop a network monitoring system for my final year project in college. Before the development, I've gone through some research about how a network monitoring system works. From my understanding, network monitoring system used ICMP packet (Ping) to make sure the devices is "alive" in the network. Here is the problem I had:
If network monitoring system need to ping each and every device in the network, then the network traffic will become heavy, is that good approach to use this method? Or is there any other possible alternative?
Network monitoring system provide set of data of the network traffic, is that possible for the network monitoring system to get the traffic level for all the connection? Assume there are 3 PCs, PC X, PC Y, and PC Z. PC X connected to PC Y, and PC Y connected to both of the PCs, PC X used for monitor the network, when PC Y sending packets to PC Z, is that possible that PC X get the information that PC Y is sending packets to PC Z?
Thanks
The network traffic load of monitoring is negligible compared to normal network traffic. Typically, you would poll devices eveny minute or every 5min, with a single packet getting a single packet in return.
Network traffic monitoring is typically done using SNMP to poll the ifInOctets and ifOutOctets counters for each interface. This will allow you to calculate total traffic and transmission rate (bandwidth utilisation) on a per-interface basis. However, it does not allow you to break this down by traffic type or destination.
I would suggest you take a look at software such as MRTG which do this sort of monitoring very neatly.
If you are wanting to monitor the health of the entire network, not just traffic on links, you may want to look into catching SNMP traps from devices to hear about problems, and also monitoring other things such as reachability (via ping packets), routes (to detect flapping routes), and even check services on hosts (such as DNS, HTTP, SMTP and so on). To do this, you might like to investigate the Nagios software and its check plugins that do the various tests.
No, the network traffic will not become heavy. You seem to have greatly underestimated the network capacity, or greatly overestimated the amount of traffic caused by ping (or both). Increase in network load caused by periodic pings from the network monitoring server to all hosts in the network will be minuscule unless your network is some sort of a slow ancient half duplex network. I would be more worried about the required CPU usage on the network monitoring server to be able to process all the pings and do useful stuff with them.
It is only possible if you are running a specialized software on the PCs to be able to grab and send this data off to the network monitoring server. sflow is a good example. Do you have any control over what can be configured on the PCs? If so, sky is your limit. If we treat the PCs as a blackbox, there really isn't that much that you can do other than pinging and possibly port scanning.
Monitoring individual hosts is only part of the picture. It is also very important for the network monitoring system to monitor the routers and switches that form the network. The amount of information that you can gather will depend hugely on what these network equipments support and whether you have the access to configure them. If SNMP is enabled, that would be a great start.

Is there a way to detect the number of connections active on a Wifi network?

If I want to detect the number of connections active on my home Wifi network, how should I go ahead doing it? This can be useful for building applications which would serve as monitoring unidentified/unrecognized people being fraudulently misusing a person's Wifi network.
How to know whether your neighbors or others are using your wireless network is rather complicated.
If your neighbors are experienced Wi-Fi hackers, you might not be able to tell at all.
If they're just stealing your Internet connection, you may be able to tell from the logs on your router.
To find out who's on your wireless network, you'll need to start by taking inventory of all the devices that are meant to be connected. Find out their MAC IDs and their IP addresses (if they're static).
To find out the MAC ID/IP address on a PC, click the Start menu and choose Run. Type cmd and click OK. In the screen that opens, type ipconfig /all and hit Enter. The MAC address will be shown as the physical address. Once you know the MAC addresses of each of the PCs on your network, you will recognize any addresses that don’t belong under the screen that shows the MAC addresses of current connections.
Check IP addresses
Likewise you may be able to see how many IP addresses have been dished out by the DHCP server. If you check the IP addresses of each of your PCs, you can see if other IP addresses have been served.
To find out your IP address from the Start menu, click Run. Then type in cmd and click OK. In the screen that comes up, type ipconfig which will display the IP address for that computer. (Bear in mind, however, that if the PC is set to auto detect settings, then the PC's IP address will change the next time the computer is rebooted or switched on. Sometimes previously served numbers have not yet expired, so you may think someone is connected when they are not.)
Dealing with intruders
If you do find someone using your connection, they may well not be doing so maliciously or even knowingly. Sometimes people can’t tell which is their own connection and they may honestly believe that they are using their Wi-Fi router rather than yours. The best way to deal with this is to set up your own security and maybe you can help them find their own router!
The optimal solution is to set up a strong password using WPA or WPA 2 of almost 20 to 30 digits and numbers. Once your network is functioning, you can switch off the SSID broadcast (which prevents it from advertising the name of your network) so it would effectively disappear as far as your neighbors are concerned, and the first you might hear of it is when someone complains that their Web connection has disappeared.
You could look for logs such as current LAN clients, connection or status log, or connected MAC addresses.
Be Happy :-)
Do you have access to the Access Point management ?
Look for MAC addresses and their filtering. Modern APs allow you to filter devices and or limit the timeframe during which devices can authenticate themselves, using a hardware button.
A link on how to secure your AP here, and a good start to know what to play with !
You can Either USE this Command... On your Router or Modem... Some Modem's have console for Ping and Commands like that....
ipconfig -all

How do I get a MAC address for a remote system when I only know it's IP address?

I'm working on a Wake on LAN service that will run from a web site and should interact with many different platforms - therefore, no Windows-only solutions. When a user registers their system with the web site, I need to get the MAC address to use in constructing the "magic" packet. I have a Java Applet that is able to do this for me and am aware of an ActiveX control that will work, but I'm wondering if there is a way to do this server-side by querying routers/switches. Since the system may be on any of a number of different physical subnets, using ARP won't work -- unless there's a way to configure the router(s) to perform the ARP on my behalf.
Anyone know of any network APIs, proprietary or otherwise, that can be used to look up MAC addresses given an IP address? I think we're using Cisco routers, but it's a complicated network and there may be multiple vendors involved at various levels. I'd like to get some background information on possible solutions before I go to make a sacrifice to the network gods. No point in abasing myself if it's not technically possible. :-)
EDIT: We do have the network infrastructure set up to allow directed broadcast, though figuring out the exact broadcast address since netmasks are not always /24 is another conundrum that I need to solve.
If you are on a local network that uses DHCP you might be able to look in the servers database to get the MAC of the last user with that address. In the future you could watch the network for ARP requests and cache the responses in some sort of table. You might also look at using RMON or SNMP to try and query the Address Tables on the switches and routers.
It should be noted that to use WoL across routers you either need to enable Directed Broadcasts or you need to have a relay server in the local segment.
Been a while since I played routers and swtiches but this might be a starting point for what to query using SNMP http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a00801c9199.shtml
Use the following:
getmac /s destIp
To get the remote session Mac address.
I don't know if these might be helpful but take a look:
http://www.webdeveloper.com/forum/showthread.php?t=134120
http://www.qualitycodes.com/tutorial.php?articleid=19
You've said everything I can think of...
The source MAC address changes as a packet hops from device to device so unless the client is on the same subnet, the server won't be able to get the MAC address. (You would do it via ARP)
A signed java applet or activex control would be the easiest solution. It would be able to (almost passively) get all the networking info you need (IE doesn't even prompt to run a signed applet)
If you are fully aware of the network that is using the service then you could probably query a gateway's client-list via SNMP or CDP. You would be able to map out IP-Addresses to MAC addresses... but this is really vendor dependent (but common) and wouldn't be much better (imo) than having an applet.
Currently the application is using a Java 6 applet that allows me to extract both the hostname and the MAC address from the remote system. I don't like having this dependency on Java 6, but Snow Leopard and Windows both support it, so I can probably live with it.
On a related-front our networking folks approached me for some help with converting some existing code to ASP.NET. During the conversation I asked if they had live MAC address information (since they do port shutoffs based on suspicious network activity -- viruses/worms). Turns out they do and we may be able to leverage this project to get access to the information from the network database.
I don't think there is any way to accomplish this. When the IP packet goes via the first router the host's MAC information is lost (as you know MAC is only used in ethernet layer). If the router most close to your PC was capable of telling the remote MAC code to you, again it would only see the MAC of the next router between your PC and the "other end".
Start sacrificing.
There's no general way to do this in terms of the network unless you have no routers involved. With a router involved, you will never see the MAC address of the originating system.
This assumes that the originating system only ever has a single network interface, so has only a single MAC address.
In fact, are you even sure that your "magic packet" (whatever that is) will reach the system you want it to reach, through the routers? That sounds like a function the routers or other network infrastructure should be performing.
Mac address is only used on network segments, and is lost at each hop. Only IP is preserved for end-to-end - and even then the from ip address is rewritten when Natted. I guess my answer is, not possible unless everything is on the same network segment, or your routers are set up for proxy arp (which is not really realistic).
You can only get MAC entries in the ARP table for machines on the same network. If you connect to a machine via a router then you will only see the routers MAC address in the ARP table. So there is no way of knowing the foreign host’s MAC address unless it's a host on the same network (no routers involved).
And by the way there are many similar question already on SO.
if it's a windows system you can use NBTSTAT -A
this will return the netbios info and the IP is there
any Management system like SMS or Altiris will have this info
The DHCP server is a good idea
If it's local you can ping it and then quickly run ARP -a
look for the IP and the MAC will be there.
you might need to write a small batch file.
if you have access to the PC you can use WMI to access the info for the Nic with DHCP.
As said above we can get mac address from a known IP address if that host is in the same subnet. First ping that ip; then look at arp -a | grep and parse the string on nix* to get mac address.
We can issue system command from all programming languages standard API's and can parse the output to get mac address.Java api can ping an IP but I am not sure if we parse the ping output(some library can do it).
It would be better to avoid issuing system command and find an alternative solution as it is not really Platform Independent way of doing it.
Courtesy: Professor Saleem Bhatti

Sniffing network traffic for signs of viruses/spyware

How can I connect a system to a network and sniff for virus/spyware related traffic? I'd like to plug in a network cable, fire up an appropriate tool sand have it scan the data for any signs of problems. I don't expect this to find everything, and this is not to prevent initial infection but to help determine if there is anything trying to actively infect other system/causing network problems.
Running a regular network sniffer and manually looking through the results is no good unless the traffic is really obvious,but I havn't been able to find any tool to scan a network data stream automatically.
I highly recommend running Snort on a machine somewhere near the core of your network, and span (mirror) one (or more) ports from somewhere along your core network path to the machine in question.
Snort has the ability to scan network traffic it sees, and automatically notify you via various methods if it sees something suspicious. This could even be taken further, if desired, to automatically disconnect devices, et cetera, if it finds something.
Use snort: An open source network intrusion prevention and detection system.
Wireshark, formerly ethereal is a great tool, but will not notify you or scan for viruses. Wireshark is a free packet sniffer and protocol analyzer.
Use the netstat -b command to see which processes have which ports open.
Use CPorts to see a list of ports and the associated programs, and have the ability to close those ports.
Download a free anti-virus program such as free AVG.
Setup your firewall more tightly.
Setup a gateway computer to let all network traffic go through. Take the above recommendataions to the gateway computer instead. You will be checking your whole network instead of just your one computer.
You can make Snort scan traffic for viruses. I think this will be the best solution for you.
For watching local network traffic your best bet (with a decent switch) is to set your switch to route all packets out a specific interface (as well as whatever interface it would normally send). This lets you monitor the entire network by dumping traffic down a specific port.
On a 100 megabit network, however, you'll want a gigabit port on your switch to plug it into, or to filter on protocol (e.g. trim out HTTP, FTP, printing, traffic from the fileserver, etc.), or your switch's buffers are going to fill up pretty much instantly and it'll start dropping whatever packets it needs to (and your network performance will die).
The problem with that approach is that most networks today are on switches, not hubs. So, if you plug a machine with a packet sniffer into the switch, it will only be able to see traffic to and from the sniffing machine; and network broadcasts.
As a followup to Ferruccio's comment you will need to find some method of getting around your switches.
A number of network switches have the option of setting up port mirrors, so that all traffic (regardless of the destination) will be copied, or "mirrored", to a nominated port. If you could configure your switch to do this then you would be able to attach your network sniffer here.
Network Magic, if you don't mind something that's not open source.
You can use an IDS, hardware or software
http://en.wikipedia.org/wiki/Intrusion-detection_system

Resources