-2

I want to check my network intrusion detection system (physical intrusion like unauthorized gadgets or devices in wifi/ethernet). Until now everything is ok, but I was wondering if I block every query do my server with iptables my server will be still detect the intrusion. There is a way to test this or is just plainly ridiculous?

Clarification:

I use a server that keeps scanning the entire network (using pings and listening for packages using tcpdump) looking for any new device that connects to the network and generates a report. What I'm trying to test is if I configure a device to ignore the probes of the server, can still be detected?

Extensive explication:

Actually, I do passive and active scan the network. Passive, listening for weird packages from unauthorized devices and active ping random address to find anyone that might be just listening. So, is actually safe enough right?

Improve this question
3
  • 1
    Can you clarify what you're trying to do exactly? It seems like you're trying to keep unauthorized devices off a network, but how does the server fit it? It doesn't seem to be related.
    – Xander
    Commented Jul 6, 2013 at 0:45
  • It may be a good idea to let the switches do this work because they know if there is a device connected and what mac address it has.
    – Hendrik Brummermann
    Commented Jul 6, 2013 at 8:16
  • @HendrikBrummermann bad news is that my switches don't have that functionality (I checked out manuals just now), any recommendation on what kind of switches I would look for?
    – Braiam
    Commented Jul 6, 2013 at 12:23

2 Answers 2

Reset to default
0

If I am reading this correctly (You have a server sniffing traffic on a network and would like to test the setup by black listing the server on a 'rogue' client device).

The sniffing server should be able to pick up broadcast traffic like DHCPREQUEST and ARP from the client even if the client will not directly respond to the sniffing server in anyway.

Your active probes can be actively blocked a properly savvy rogue user and client device. If the device does ANYTHING on the network or internet while connected, the passive listening should find at the very least ARP requests from the rogue device. It will be VERY difficult to detect a rogue device that is JUST listening and never sending traffic onto the wire.

Improve this answer
1
  • Ok, then I will edit your response to reflect that it answers my question about the safety of my network.
    – Braiam
    Commented Jul 6, 2013 at 22:38
0

Once you've blacklisted a given IP, you've stopped the intrusion: there's nothing to detect because the connection gets refused.

You can LOG packets from a given server (even those that get rejected); you'll get a message sent to syslog that you can parse using the tool or your choice and take whatever action you choose.

Something like this:

# Log TCP SYN packets from SOURCE_IP sent to DEST_PORT
iptables -I INPUT -s ${SOURCE_IP} -p tcp --dport ${DEST_PORT} --syn -j LOG
Improve this answer

Not the answer you're looking for? Browse other questions tagged .