Source: ispublic.com
Google does not seem to be able to find any article that uses open-source software to implement online behavior auditing-it is no wonder that open-source is not popular in China, and online behavior auditing is not popular abroad. However, this does not mean that it cannot be implemented. IS in Public provides an idea and method to use open source sniffing tools and scripts to implement lightweight online behavior audit.
Implementation conditions:
One Server:
Higher traffic, higher performance requirements, and dual-nic for remote management. If a large amount of data must be written to the disk, we recommend that you use RAID 0/raid 10;
Vswitch Image Port:
If conditions exist, all network flows to be audited are mirrored to the behavior audit server;
Software environment:
Operating System CentOS5.5-i386
Audit Tool Justniffer0.5.7
Dependency boost1.33.1
Libpcap0.9.4
Libnet1.1.2.1
Libnids1.24
Gcc4.1.2 (only useful during compilation)
Procedure
1. Install the operating system:
Create a partition for the log storage path. If the data volume is large and the conditions permit, you are advised to use RAID0 or RAID10;
You only need to install the following components:
Applications
Editors
Text-based Internet
Development
Development Libraries
Development Tools
Base System
Base
2. Install libpcap
# Yum-y install libpcap-devel
#./Configure
# Make
# Make install3. install libnet
# Yum-y install libnet
#./Configure
# Make
# Make install4. install justnifer
# Tar zxvf justniffer_0.5.7.tar.gz
# Cd justniffer-0.5.7
#./Configure
# Make
# Make install: If the Image Port is connected to eth0, run the following command to check whether the package can be captured:
# Justnifer-I eth0-r if the screen displays information, the installation is successful.
Start Auditing
Justnifer currently supports the following protocols: HTTP, JDBC, RTSP, SIP, SMTP, IMAP, POP, and LDAP. What is most valuable to us is HTTP and SMTP, that is, Webpage Browsing and email sending. As for IM information, we do not recommend that you consider it too much. After all, most IM software (such as QQ) has been self-encrypted, and MSN also has MSNSHELL and various plug-ins.
If you only need to monitor the URLs browsed by employees, we recommend that you use the following command:
# Justnifer-I eth0-p "port 80"-l "% request. timestamp (% F % T) % source. ip
% Dest. ip % request. header. host % request. url % request. header. referer % newline"
>/Var/log/httpmonitor:
# Justnifer-I eth0-p "port 80"-l "% request. timestamp (% F % T) % source. ip
% Dest. ip % newline % request ">/var/log/httpmonitor:
# Justnifer-I eth0-p "port 25"-r> for detailed justnifer command parameters of/var/log/mailmonitor, see the official website.
Chinese questions
A headache is the problem of Chinese encoding. However, websites such as Baidu Post Bar and Tianya all use URI encoding for text in posts. An example of converting URI-encoded parameters into Chinese characters using perl:
#! /Usr/bin/perl
# From Tsing of ispublic.com
Use URI: Escape;
$ Content = uri_unescape ($ ARGV [0]);
Print "$ content ";
Write this file first, and then write a few scripts for large-scale enterprise deployment.