Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Deep Packet Scanning???

Status
Not open for further replies.
terminaljunkie

terminaljunkie

Technical User
Jul 24, 2003
17
GB
Hi,

Sorry but I cannot find an appropriate group for this, and anyway the Cisco types always seem the best qualified to answer.

We have a search engine, which gets up to 20 requests per second from public domain searches, we used to block via IP Address, any persistent 'data miners' who would script requests to build up a pool of their own data.

Recently however the 'data miners' simply spoof their IP Address with every request, alco changing their search qualifiers (business and area) making traces and trapping a nightmare.

Is there any way of deep scanning network packets to find some fundamental identifier from any single point of origin (like a MAC address I guess) or am I wasting mine and your time?

Chheers for any help / advice or comforting words........


Best Regards,

<*>terminaljunkie<*>
 
Sort by date Sort by votes
A good sniffer and an IDS system would in order. Use the sniffer to build a baseline of traffic and when you see a packet that is questionable, dig into it and try to find a fingerprint. Even if the packet it spoofed, there are certain things that will stand out. The IDS can have a rule built to look for these packets and then send a TCP RST (reset) to whack the connection or to shun them at the firewall... or..or.. Get a copy of Snort, I would suggest PureSecure as the test since the install script is so clean and also configures the Apache and MySQL along with Snort. Check the snort rules database at the Snort site, they might have a rule already close to what you want. You can pull the pattern, port etc from the Snort rule and use it to build custom sniffer filters.

MikeS


Find me at
&quot;Take advantage of the enemy's unreadiness, make your way by unexpected routes, and attack unguarded spots.&quot;
Sun Tzu
 
Upvote 0 Downvote
I would suggest having a look at an intrusion detection system, or possibly this could be done with the Cisco router based Network Based Application and Recognition (NBAR, may be worth reading up these?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

lwhalo
  • Locked
  • Question
ASA 5520 Packet Capture Question
Replies
0
Views
68
lwhalo
lwhalo
personal02
  • Locked
  • Question
Differentiate between TCP packets
Replies
0
Views
48
personal02
personal02
bnorton916
  • Locked
  • Question
Viewing packets in packet tracer
Replies
0
Views
31
bnorton916
bnorton916
keithja
  • Locked
  • Question
Cisco 3560 QOS packet drops
Replies
8
Views
174
keithja
keithja
snahaw0
  • Locked
  • Question
Setting up SPAN for voice recording - 2960S - not seeing any RTP packets
Replies
7
Views
156
snahaw0
snahaw0

Part and Inventory Search

Sponsor

Back
Top