CentOS - Oct 2006 - antivirus sniffer/scanner for networks

Is anyone aware of a package that can detect viri on the network &
possibly alert when there are?

Here is the scenario:  Our network is utilized by guest users all the
time, sometimes into the thousands. We see guests from all over with a
variety of OSs & hardware, all of which, we have no control or say in that
matter.

I am looking for something that I can run in promiscuous mode and/or on a
span port that will sniff for viri and then alert/log when it sees a
virus. We can then track down the culprits' ip/mac and shut off the switch
port he/she is connected to and then visit with the guest to help them
clean their machine.

Given the nature of our network and our guests' needs, an inline solution
is not an option. Although, I recall that squid supports WCCP, I'm not
sure that it would do what I am requesting. I also looked at
snort+libclamav, but the info was inconclusive.

We are a CentOs shop and I have a spare dual xeon box that I can use for
the task.

Thanks,

Eric

On Tue, 10 Oct 2006 10:38:58 -0500 (CDT)
eric at austinconventioncenter.com wrote:
> Here is the scenario:  Our network is utilized by guest users all
> the time, sometimes into the thousands. We see guests from all over
> with a variety of OSs & hardware, all of which, we have no control
> or say in that matter.
> 
> I am looking for something that I can run in promiscuous mode
> and/or on a span port that will sniff for viri and then alert/log
> when it sees a virus.
I was faced with the same situation and I have gone a completely
different route.

Everyday, one of my customers has 'guests' in the various board rooms
and meeting rooms. There is always somebody with viruses, spyware and
then they call me to help them or to fix their laptops.

What I did is: change the network!

The firewall/gateway inside interface has 2 separate IP addresses in
different classes:
* The company employees are in 10.0.0.0/16
* The visitors are in the 172.20.0.0/16

All employees' computer must have a registered MAC address. It's some
work, but that the only way to go, and yes it can scale to thousands
of users. The DHCP servers will serve them an IP address in the
10.0/16 address space.

All computers with a non-registered MAC address with get an IP in the
172.20/16 address space. Their default gateway is the secondary IP
address of the gateway. 

I have VLANs and maxport in place on the switches to control how many
people can connect to a physical port and what they can do on the
network.

The only  things the  non-registered users can  access is  the
Internet, they cannot access any of the internal resources
[including printers], and cannot infect or attack any of the internal
network. If they want to print, they can supply us with a PDF file,
and reception will print it for them [tried having an HP printer in
one of the board room, but too many people did not have the correct
driver.]

If you still  want to run an  antivirus at the layer 2  level, Cisco
has ASA boxes that  will do some antivirus. They do not  have a full
listing of all the viruses, but a  select few hundred, the more
recent/prevalent ones.

Hope this helps.

-- 
Thanks
http://www.sqlhacks.com
The SQL knowledge base

You need to Span/Mirror the traffic from your distribution
switch(es) to an ethernet card appropriate for the size of traffic you
see, 0-100mbps 100mbps ethernet, 100-1000 gigabit. And then run Snort
with all of the plugins to look for malicious traffic. There aren't
really network "virus" scanners so much as there are IDS detection
programs which will detect the traffic signatures of the 'worm/malware'
spreading software and alert you. As viruses are generally local host
problems but the 'spreading' of them you CAN detect.

HTH.

-Drew


-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf Of eric at austinconventioncenter.com
Sent: Tuesday, October 10, 2006 11:39 AM
To: centos at centos.org
Subject: [CentOS] antivirus sniffer/scanner for networks

Is anyone aware of a package that can detect viri on the network &
possibly alert when there are?

Here is the scenario:  Our network is utilized by guest users all the
time, sometimes into the thousands. We see guests from all over with a
variety of OSs & hardware, all of which, we have no control or say in
that matter.

I am looking for something that I can run in promiscuous mode and/or on
a span port that will sniff for viri and then alert/log when it sees a
virus. We can then track down the culprits' ip/mac and shut off the
switch port he/she is connected to and then visit with the guest to help
them clean their machine.

Given the nature of our network and our guests' needs, an inline
solution is not an option. Although, I recall that squid supports WCCP,
I'm not sure that it would do what I am requesting. I also looked at
snort+libclamav, but the info was inconclusive.

We are a CentOs shop and I have a spare dual xeon box that I can use for
the task.

Thanks,

Eric
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos

On Tue, 10 Oct 2006 10:38:58 -0500 (CDT)
eric at austinconventioncenter.com wrote:
> Here is the scenario:  Our network is utilized by guest users
> all the time, sometimes into the thousands. We see guests from
> all over with a variety of OSs & hardware, all of which, we have
> no control or say in that matter.
> 
> I am looking for something that I can run in promiscuous mode
> and/or on a span port that will sniff for viri and then
> alert/log when it sees a virus. We can then track down the
> culprits' ip/mac and shut off the switch port he/she is
> connected to and then visit with the guest to help them clean
> their machine.
I think that first to look at is network design. With proper
design such as vlans, secondary ip addresses, and proper dhcp
config.

I have ta similar requirement, but not as large. I have daily
guest [dozens], with vlans and dhcp they can access the internet,
but have absolutely no access or cause damage to any of the
internal resources.

-- 
Thanks
http://www.911networks.com
When the network has to work