Sniff Packets to remove Blacklist entries from CBL etc...

Posted on 2007-08-02
Last Modified: 2010-08-05
Firewall:  Smoothwall 2.0
Switches: Dlink (orange, green)
Servers: Windows 2000/2003 and Linux(Debian)
Workstations: (Windows XP sp2)
Email Server:  Exchange Server 2003

                                     Cisco Router
             Smothwall Firewall (Red nic, Orange nic, Green nic)
                                                             |                   |
                                                            Switch         Switch
                                                             |                   |
                                                          DMZ            LAN
                                                             |                   |
                                                       Servers     Workstations

The firewall server has three nics.  
- Red = Outside (cat5 from cisco router goes to this nic)
- Orange = DMZ (cat5 from 2nd nic goes to Dlink switch for dmz servers)
- Green = LAN (cat5 from 3rd nic goes to Dlink switch for workstations and other servers)

What I am trying to do is narrow down which system sent out the email (infected by either a virus/spamware/trojan/malware) and got our public IP on the blacklist.  The RED nic is set to the public IP that we was given and all workstations inside the LAN are translated into this address when visiting anything on the internet.

Where is the best place and how to place a simple hub so I can capture the packets to see if there is a zombie or bot somewhere that could be using port 25.  The hub is a really old 10m with a normal/uplink switch to use.



Question by:kshays
    LVL 3

    Accepted Solution

    You're going to need to put the hub between the switch(es) and the firewall.   What you should probably do is deny outbound smtp  traffic from the workstations and permit smtp out from your mailservers only.  Make the pcs relay from the servers and you've isolated the problem to your dmz segment.  

    Best luck.
    LVL 16

    Author Comment

    I was just about to close this question yawns, but I will go ahead and accept your answer though :)  

    What I did was indeed put the old hub between the switch and the firewall and used Wireshark to capture the packets.  I basically used a filter " tcp port 25 and not ip host" and as soon as I clicked on start I found the trojan.  It showed the IP so I did a nslookup on the IP and found the computername, ran an antispyware, and antivirus program and it disenfected the virus.



    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Suggested Solutions

    There are some basic methods for preventing attacks on, hacking of and unauthorized access to a network -- maybe not completely, but up to a certain level. Start with a well-reputed firewall and unified threat management (UTM) system -- a gateway…
    Read about achieving the basic levels of HRIS security in the workplace.
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now