i set up asl 3.040 to protect some unix-machines against hacking. now i'd like to catch some hackers traffic by rebooting a machine in hacked state and reporting the traffic to this machine. I know someone is trying to get ftp-access on this IP (still dropped) can i do this by netcat -l somehow (ip-alias on outer NIC, but just PORT-bound) or better to install tcp-dump or so? who can give a hint?
If you are using a hub, you can run a packet sniffer like ethereal to capture all data to/from the compromised server. If you are using a switch then you'll need to setup a mirror port and then plug the sniffer into it to trap the data going to/from the compromised server.
you could set up a Man in the Middle PC, and capture everything that moves to and from the comprimised computer. im a novice hacker, so correct me if i am wrong.
there would be two advantages to this.
1. the connection state info could easily be collected and proxied without really allowing connections to the rooted host.
2. the person that rooted you couldnt deactivate your IDS processes or interfere with the logging functions assuming your MiM is properly configured.
