Sniff Packets to remove Blacklist entries from CBL etc...
Posted on 2007-08-02
Firewall: Smoothwall 2.0
Switches: Dlink (orange, green)
Servers: Windows 2000/2003 and Linux(Debian)
Workstations: (Windows XP sp2)
Email Server: Exchange Server 2003
Smothwall Firewall (Red nic, Orange nic, Green nic)
The firewall server has three nics.
- Red = Outside (cat5 from cisco router goes to this nic)
- Orange = DMZ (cat5 from 2nd nic goes to Dlink switch for dmz servers)
- Green = LAN (cat5 from 3rd nic goes to Dlink switch for workstations and other servers)
What I am trying to do is narrow down which system sent out the email (infected by either a virus/spamware/trojan/malware) and got our public IP on the blacklist. The RED nic is set to the public IP that we was given and all workstations inside the LAN are translated into this address when visiting anything on the internet.
Where is the best place and how to place a simple hub so I can capture the packets to see if there is a zombie or bot somewhere that could be using port 25. The hub is a really old 10m with a normal/uplink switch to use.