Capturing, forensics, etc
-
I have been watching the dateline series "to catch a predator". I am a father with two daughters. I have looked at products which capture internet traffic and log it to a hard drive such as netintercept (starts at $9500 … ouch). I consider myself a decent programmer. I have intalled the developer edition and built an img to run on my wrap. Is it conceivable to turn my firewall to be able to dump every ip packet to a harddrive in a rotating buffer of some sort? Are there cheaper, or even free such as open source alternatives to the netintercept product. I am surprised that they took a free OS such as free BSD, added a harddrive and an SBC and are turning around and selling it for this price.
I found a few pages which reference some opensource software packages such as tcpdump and libpcap. Would it be possible to go into the source and just save off the packets to some mounted NAS share?
I really dont want to hear anything about privacy issues, after all, it is my network and my kids, so please keep those opinions out of this thread. All I am interested in is any techical solutions or suggestions to be able to perform my invasion of privacy. After all, if ever someones kid was abducted, it would be nice to have a harddrive to turn over to the FBI.
-
At this time in pfSense, your best bet is probably to tcpdump to remote NAS storage. The packet filter we use does have the ability to copy all packets matching a given rule to another interface where you could be running tcpdump (or whatever tool you wished) on a dedicated machine, but we don't current support that functionality.
–Bill
-
Hum I don't think pfsense is the best to do what you want. The best would be another machine runing a linux distribution with a transparent proxy.
If I were you, I would install a linux with squid configured as transparent proxy. Then, I would use a redirect program for squid such as SquidGuard with all the blacklists provided and more… (http://cri.univ-tlse1.fr/documentations/cache/squidguard_en.html) you will find on this website (french university, making one of the wolrd largest porn blacklist) a huge porn blacklist ( it's in use in a lot of school here in france to protect children from pornografic content).
Then, I would put SARG, it's the log analyser for squid and gives pretty good information. You could also developp a special redirection page for squidguard that logs into a MySQL database all the request that have been rejected.Good Luck.
You can also look at safesquid.
-
I'm not sure I agree. A transparent squid is useful and combined with SquidGuard will allow you to do filtering of HTTP. But, non-HTTP protocols (AIM, IRC, etc) won't be filtered, or logged in anyway) As I understand it, the OP wants LOGGING of all traffic for forensics reasons. If someone were to coerce his daughter into going with them then there may be an address or phone number that can be used to figure out who is was and find them. SquidGuard isn't going to help in this case as it'll only show where they've been, not what they've seen.
–Bill
-
yes it's true, I was speaking of HTTP only. In order to log everything the most common is ethereal as network probe. You log everything and you put a cron job to tar the capture ;-)
-
You may be interested to know that NetIntercept has a Windows-based demo freely available on CD. Simply go to http://www.sandstorm.net/sales/demo.php and click the email link to mail the sales department and ask for a copy.
The demo version can't capture (that's what all the hardware is about), but you can import tcpdump-format files
to see how NetIntercept analyzes the traffic.Hope this helps!
-
Just out of curiousity, are you putting this capture device between the pfsense box and the modem, between the switch and your daughters computer, running a hub for your daughters computer, or spanning the switch port of your daughters computer?
The cheapest solution that I can see by far provided you don't need over 10Mbit is to get a cheap tiny hub, connect it between the wrap switch and your daughters computer, and instead of running a proxy just have the capture device in promiscuous mode to capture everything travelling though that hub.
At my last job we had an IDS and it was basically connected to a switch with a spanned port. The port that was being spanned was the port of the default gateway.