Intruder detection - Human or malware-

Discussion in 'other security issues & news' started by brucemc, Sep 7, 2004.

Thread Status:
Not open for further replies.
  1. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    Is there anything anyone can suggest that will run in a simple SOHO environment (NAT & personal firewalls) that would monitor contact from and to all and any of the computers within the SOHO (from the outside and between) and flag suspicious activity? I am thinking of a program that would monitor and log communications, that someone could look at the log and identify if these were likely initiated by a program that someone was running in the normal course or if perhaps some problem malware/backdoor is operating instead? With a wife that eBays too much and several children, I need some sort of watchdog that can monitor and report this kind of activity (at least I think I do), as what they will open from emails and websites they will visit and click on is beyond my ability to always control. If they invite a backdoor or trojan in and it is operating/being operated, I want a chance to detect it-

    I understand there are the programs that will log all in and out, but I am hopeful there is something more able to discriminate or simpler to use than seeing a log of everything for a 24 hour period, I would go nuts and blind.

    Any ideas?
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  3. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    Much as you have, I have this puppy loaded with defenses; to the point I joke about this 1GHz processor (OK, already way obsolete) with 1Gb RAM running like my first 8086 IBM True Blue loaded with 640Kb ran (And I remember when I upgraded it to 1Mb with an expansion card...). I have to believe somewhere there is a good program toflag me when 1) someone outside the system is accessing another computer inside this network and using it to access this computer, and 2) when some darn trojan collects data and calls home, even when it is from another computer within this network; there HAS to be something that will indicate these with high probability, right?

    That being said, one item I sure would also like an understanding of - Proxomitron. Mainly it's effective use. It appears the only area you are covering that I have no understanding as to the added security, and that tells me I might have a huge hole out there in my security (paranoia).

    I have sent description as to what I am trying to acheive to the folks at VisualWare, for if their personal software could monitor my little network like it monitors one machine, it would be most of the answer. I will advise upon their response, but as I am po (hence the 1GHz machine being my top end...), it will take time for me to find out how practically it works...
     
  4. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Intruders and malware have many different entry ways into your LAN and computer. That is what makes it important to have different tools (like those mentioned in the threads Blackspear posted) to monitor and secure various aspects of your computer. From what you have posted it is difficult to know just what kind of a program you are looking for.

    As you probably already know windows has its own logging feature which can be accessed via administrative tools-> local security policy. However for your needs it seems like it would require an extension of the logging features available in windows or a type of log parser that is updated with common threats. Not only do i not know of a program that does this. But for numerous reasons I feel this just would not be effecitve in a windows environment. There are far too many areas that would have to be monitored and logged. Far too many variables. Far too great of chance for false positives. Far too much updating needed by the developer.

    Keeping windows updated, using a secure third party browser (like mozilla firefox or opera) along with your firewalls should protect you from most common exploits. Having antivirus, antitrojan, and antispyware protection should protect you if anything happens to get through. If they use pop3 to check email you can use a secure email client and make sure you disable preview, block dangerous extensions for attachments, and have everything be shown in plain text. If they do open a dangerous attachment in the email client or even through web email your AV and AT should pick it up. It would also be wise to warn other users of your computers about the threats out there and the precautions they need to take.

    1)This is rather difficult to do if you are behind a NAT router and if your computers are also all protected with software firewalls. Do computers in your LAN have a trust relationship? Is there sharing between them? Your firewall logs should let you know of suspicious activity though.

    2)Antitrojan software should warn you of this on an individual computer. If you are looking for something different please elaborate. From your previous 2 points it seems like you are more concerned about one particular computer on your network. If it is possible I think it would be wise to secure the other computers on your network just as if they were this one critical computer.

    There are many security programs out there, each specializing in certain aspects of computer security. If you can specify what are your greatest concerns it will be very helpful. Just realize there is no single solution against all security threats.
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi brucemc, In addition to what the others are saying, take a look at Port Explorer, this can show your network connections from each PC and allow you to sniff packets in and out of selected ports. A very useful utility
    There's a free trial available here:
    http://www.diamondcs.com.au/portexplorer/

    Pilli
     
  6. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    I suspect if I set up the firewall on this main computer of concern to flag me whenever one of the other computers arecommunicating with it, and moreover if I can figure out why they are communicating with it and what they are doing at the time, I would be most of the way to what I want to accomplish. I also suspect that the 5 node version of VisualLookout is just what I had envisioned, and have the question into their sales support. If it is, then my concern would be just how resource gobbeling is the program for the performance hit I would take if I ran it also on the main, or perhaps I run it on one of the others and set it to notify me of any questionable activity. Last, but still important, is price. At about $150 for the 5 node version (my computer, my wife's and three out of the four daughters), though it seems a bargain for what it does, it still is steep for a home user who is just starting to come out from a three year financial beating...

    I will advise what I find-
     
  7. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    If there is no file sharing or any other reason why the computers on your network is communicating with your main computer then there should be no real traffic to analyze. Your firewall logs on your main computer should only show traffic from your router. And even then it should be quite minimal, mostly ICMP replys i believe.

    But from what I can tell it seems like you are looking more into the area of packet sniffers, network traffic analyzers, or an NIDS. I do have to question if one is really necessary for your home network. A large majority of the traffic will not be anything "interesting". And if it is, it is most likely already blocked by your firewall. I wrote a short post on NIDS' awhile ago and one of the main points that i want to make is this (quoting my original post)... A Network IDS is usually installed after the router and after the firewall. Correct placement of an IDS however is rather difficult. If placed incorrectly it can be seen as a liability. Mainly because an intruder will notice how all packets are being filtered through the IDS before reaching its destination. That is why I still recommend securing each individual computer and informing the users on your network the dangers out there. By doing this even if your traffic analyzer/NIDS fails to alert you of dangerous activity, you can rest easy knowing you have other protection. And through Blackspear's post you can gain a good idea on what kinda tools are recommended. If you would like more recommendations feel free to ask. Pilli also made a good suggestion in using PortExplorer which is very user friendly and would be a very nice solution to put on your main computer. Ethereal might be another solution that you might want to look into, it is free too (http://ethereal.com/) .
     
  8. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    Pilli- As already a happily registered licensee of PG, I will check out Port Explorer.

    Rerun2- I think I best look into the Ethereal filters as I before loved the amount of info it provided, but found it overwhelming.

    Overall I suspect both of these will provide me with the info I wish, but I fear either deals more in a wealth of raw data, where optimally I wish for a targeted program running in the background with minimal resource use which will flag me when information was being read by any outside source, and if so, the process and possible request origination. I am halfway there if I configure my firewall to notify me on any request coming from within my network.

    I am starting to suspect that I am way too paranoid here - anyone who would spend time to target this system for an attack/crack is more nuts than I am. I wonder if any of those smilies I can attach are for a crazy person?
     
  9. brucemc

    brucemc Registered Member

    Joined:
    May 27, 2004
    Posts:
    44
    Pilli-

    Oooooo, with that "Hidden Server Detection" you folks come much in line with what VisualWare appears to offer, though I think with their software I can watch any attempts network-wide; not to say by the same means, but the end result looks very similar. Your thoughts? I figure you must know your competition better than I do-

    Oh, if your product didn't appear so directly applicable to my problem, I would probably be off in a rant/tirade right now over opportunistic advertising at you, but what can I say but "Thanks"?
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yeh, It is not a network tool as such, just useful addition on any PC where you might want to analyse ports / packets & the logging is good.

    Worth a try IMHO :)

    Enjoy your weekend. Pilli
     
Loading...
Thread Status:
Not open for further replies.