Know thy network. This is the mantra of network security advocates, with good reason. In order to determine if you have been or are being attacked by malicious entities, you must know what normal traffic looks like. If you don t know what normal network behavior is, it is very difficult to pick out unusual traffic that should be investigated. To determine what normal traffic is, you should use these tools for a period of time under normal conditions to baseline your network and the normal activity on it. After you baseline your network, you can begin to tweak the tools to fit your needs and exclude what is normal. Security professionals will sometimes make the mistake of thinking they understand their networks and modify their tools to reduce the amount of information presented. This can lead to the tools effectiveness being significantly reduced, because attackers or unusual traffic can be missed due to overzealous filtering.
All the tools mentioned in this chapter will allow you to identify certain types of traffic, but it does require a level of knowledge of your network in order to properly identify if the information you are seeing is a problem. In this chapter, we will be discussing some of the common open source tools used for monitoring network activity.
Before embarking on this chapter, please note that you need to understand the basics of TCP/IP to get full use of this chapter and the tools described. There are many online tutorials available on the Internet, and a good start is RFC 1180, available at http://www.ietf.org/rfc/rfc1180.txt, as well as RFC 793, available at http://www.ietf.org/rfc/rfc793/. A good pocket reference for tcpdump and TCP/IP is located at http://www.sans.org/resources/tcpip.pdf. You should also be familiar with UDP and ICMP. To find more information on UDP and ICMP, visit http://www.ietf.org/rfc/rfc0768.txt and http://www.ietf.org/rfc/rfc0792.txt, respectively, or use your favorite search engine to find out more information.
|Heads Up|| |
Be aware that the tools presented in this chapter can be used by attackers if they gain access to your system, so know what programs are installed on your system and who has access to the tools.
If you are building or managing a sensitive production machine or other truly hardened machine, do not install these programs. Instead, install them on a machine built for the purposes of monitoring the network. If in doubt, install on a separate machine for maximum security or at a minimum, lock the permissions down on the executables to prevent unauthorized use. To gain full functionality of these tools, most require that you be logged in as the superuser or root as well, so if you find you don t have all the functionality mentioned in this chapter, log in as root during these operations only.