Sniff Packets to remove Blacklist entries from CBL etc...

Posted on 2007-08-02
Medium Priority
Last Modified: 2010-08-05
Firewall:  Smoothwall 2.0
Switches: Dlink (orange, green)
Servers: Windows 2000/2003 and Linux(Debian)
Workstations: (Windows XP sp2)
Email Server:  Exchange Server 2003

                                     Cisco Router
             Smothwall Firewall (Red nic, Orange nic, Green nic)
                                                             |                   |
                                                            Switch         Switch
                                                             |                   |
                                                          DMZ            LAN
                                                             |                   |
                                                       Servers     Workstations

The firewall server has three nics.  
- Red = Outside (cat5 from cisco router goes to this nic)
- Orange = DMZ (cat5 from 2nd nic goes to Dlink switch for dmz servers)
- Green = LAN (cat5 from 3rd nic goes to Dlink switch for workstations and other servers)

What I am trying to do is narrow down which system sent out the email (infected by either a virus/spamware/trojan/malware) and got our public IP on the blacklist.  The RED nic is set to the public IP that we was given and all workstations inside the LAN are translated into this address when visiting anything on the internet.

Where is the best place and how to place a simple hub so I can capture the packets to see if there is a zombie or bot somewhere that could be using port 25.  The hub is a really old 10m with a normal/uplink switch to use.



Question by:Kevin Hays

Accepted Solution

yawns earned 2000 total points
ID: 19625409
You're going to need to put the hub between the switch(es) and the firewall.   What you should probably do is deny outbound smtp  traffic from the workstations and permit smtp out from your mailservers only.  Make the pcs relay from the servers and you've isolated the problem to your dmz segment.  

Best luck.
LVL 16

Author Comment

by:Kevin Hays
ID: 19625491
I was just about to close this question yawns, but I will go ahead and accept your answer though :)  

What I did was indeed put the old hub between the switch and the firewall and used Wireshark to capture the packets.  I basically used a filter " tcp port 25 and not ip host" and as soon as I clicked on start I found the trojan.  It showed the IP so I did a nslookup on the IP and found the computername, ran an antispyware, and antivirus program and it disenfected the virus.



Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question