Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: starting point

From: Kevin Johnson <kjohnson () secureideas net>
Date: Mon, 17 Apr 2006 22:27:20 -0400

On Apr 14, 2006, at 3:30 AM, nemanja.janic () gmail com wrote:


Hi list,
i've been lurking around for some time now, trying to keep up with the posts, as i'm new to the whole field of security. 

Always a mountain of information to keep up with.<grin>  Good luck!
I would apriciate some pointers from you guys. I administer a small network of some 100 computers, and would like to start monitoring our web traffic with ethereal...
Are you looking at running Ethereal on the web server? Or have you spanned the traffic over to the box ethereal is running on? I would recommend the second. Another idea would be to run tcpdump or windump on the web server and have it write to a file. you can then use ethereal or a multitude of other tools to read this file and see what happened. (I willl list some at the bottom)
The problem is that i do not know what to look for, and i'm not sure how to interpret what i see. Where do i start, what papers or books do i read, in order to better understand what Ethereal tells me when i look at the results of monitoring.
I definitely recommend TCP/IP Illustrated Vol. 1 by Richard Stevens. I can also recommend SANS Track 3 with Mike Poor, if you have the money. SANS also has a 1 day class called Mastering Packet Analysis.
I played with filters, and have grown comfortable with using them, as well as most of the options Ethereal gives me. I think i'm ready for the next step :) Any pointers to interesting filter strings, examples of normal and strange traffic would really be a great help.
Check out the Honeynet Project for captures of interesting traffic you can analyze. 


I hope i haven't posted this on the wrong list :)


Seems to fit the list as I see it. ;)

Some tools to try out (Google should find alll of these, or write me):
        * ngrep
        * chaosreader
        * Snort (It will read a pcap file.)
        * httptop (interesting)
        * ntop (for netflows)

Hope that helps get you going!
Kevin Johnson
GCIA, GCIH, CEH
---------------------
BASE Project Lead
http://sourceforge.net/projects/secureideas
http://base.secureideas.net
The next step in IDS analysis!



-------------------------------------------------------------------------
This List Sponsored by: Webroot
Don't leave your confidential company and customer records un-protected. Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no obligation. See why so many companies trust Spy Sweeper Enterprise to eradicate spyware from their networks. 
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: