OpenSourceSoftware

Virus scanning your network traffic!

I had this idea, that if tcpxtract can carve out files from your network traffic, it might be combined with ClamAV (clamscan) to check the files for viruses. This is probably done before, and all web-proxy servers that scans the web content does this in some way.
But my thought was to combine this with Sguil, so that the result would be reported to the F8 monkeys in a form such as:
$SRC_IP:$SRC_PORT -> $DST_IP:$DST_PORT : $FILE_TYPE, $VIRUS_TYPE
Clicking on the “Alert ID” will give one a transcript of the session, as usually or something…

tcpxtract has an output like this:
Found file of type “jpg” in session [81.31.233.9:20480 -> 78.156.13.199:29620], exporting to /tmp/tcpxtract/spool/00000048.jpg

In my PoC I then mv the files over to a check dir, and clamscan gives output like this:
# clamscan –no-summary /tmp/tcpxtract/check/
/tmp/tcpxtract/check/00000048.jpg: Eicar-Test-Signature FOUND

My plan was to correlate info from the two logfiles from clamscan and tcpxtract and then gather it in a 3rd logfile for a sguil_agent to pick up, and send to sguil.

My Prof of Concept (PoC) stops here, as tcpxtract does not run for very long on my Ubuntu Hardy test server, before it segfaults on my ass :/ I found two patches for tcpxtract, but I have not had time and strength (I’m rather sick at the moment) to check them out.

The story might continue…

Advertisements
Standard

One thought on “Virus scanning your network traffic!

  1. Pingback: FPCGUI -> OpenFPC- Work Together For The Benefit Of All ManKind…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s