Network based virus scanner?

Shadowspawn

[H]ard|Gawd
Joined
Sep 17, 2002
Messages
1,870
I am running a small hotspot with about 200 customers. My partner and I do a lot of manual work watching for customers with too many connections and/or too high of a download/upload ratio to try to control virus outbreaks/p2p junkies and share the bandwidth for everyone.

I need a way to actively monitor the network for virus and p2p activity. I am aware of Wireshark but have not dug deeply enough into it to see if it meets my needs.

I was hoping some of my fellow network gurus have had experience with this type of sensor and can point me in the right direction.

The ideal solution would be capable of sitting on a spanned port off of a Cisco switch that feeds my gateway and report on any virus signatures/p2p activity that it picks up. It should hopefully be open source but I can afford to pay for a lightweight package as well. I can dedicate a Linux or Windows server for this purpose.

Anybody have a suggestion?
 

YeOldeStonecat

[H]F Junkie
Joined
Jul 19, 2004
Messages
11,330
I'd take a UTM appliance approach, have the firewall do the scanning, and have a firewall that can block traffic on the application level...such as shut down p2p traffic.
 

Shadowspawn

[H]ard|Gawd
Joined
Sep 17, 2002
Messages
1,870
We are running a bluecoat packetshaper that eliminates...no, too strong...reduces p2p traffic.

Rather than block it outright we are giving it so little traffic that the dumber users think it simply isn't worth it. At least that is the hope. We don't want to block outright because they will simply use common ports, like 80, and be much harder to track.

My partner is working on setting up a UTM to replace our inside router...but there is a captive portal (sputnik) running below the internal router on a DDWRT x86 box that is NATing...so while it will see the traffic and block it, I can't pinpoint an internal LAN IP address and beat on someones door.

If I had the ability to scan within the LAN, before the portal, then I can pinpoint a MAC and IP address and the specific account that is being disobedient.

I have heard of snort before...I will check into it. Thanks for the tip.
 

DragonNOA1

Supreme [H]ardness
Joined
Aug 15, 2004
Messages
4,301
IDS/IPS like Snort with PVLANs (so as not to affect others) seem like the way to go. Should be right in your price range. Maybe some sort of QoS if bandwidth is becoming a problem.
 

Shadowspawn

[H]ard|Gawd
Joined
Sep 17, 2002
Messages
1,870
Between the Bluecoat and the Appliansys Cachebox I think we are getting the maximum we can out of our dedicated 2.5mb down and 768kb up, all things considered.

Our users are not the most intelligent lot. We know there are many viruses floating out on the LAN, a few p2p users and at least one MAC user that considers himself rather [H] and keeps spoofing a new MAC address every time we block him.

I've learned quite a bit since taking over this little business...more than I have learned in my network administration job. I am forced to learn a bit about security and system administration to stay on top of it all.

I'm reading about Snort now. Looks like I have some more to learn....
 

Robert_Whited

[H] News Editor
Joined
Mar 6, 2010
Messages
61
Snort boxes roxes. Wireshark is a good monitor.

Doesn't tomato enable you to bandwidth monitor each IP connected?
 
D

Deleted member 12106

Guest
I'd take a UTM appliance approach, have the firewall do the scanning, and have a firewall that can block traffic on the application level...such as shut down p2p traffic.

Ditto.

If you're running the hotspot for wifi, I'd pick up untangle and take a look at the protocol control.

It comes with a free av also, and, you can get kasperky also. However, w old just block all the protocls for file sharing and p2p.
 
Top