We have a pfSense setup with 2 WAN connections (3Mb/s and 17Mb/s) and are using tcpdump to log connection setup and dns requests. We'd like to analyze the places being connected to with an eye toward watching for trojans and other dial home programs. Are there any tools out there for this kind of analysis?
I've seen Tool do analyze web traffic per file and time period? and the answers there seem to be for looking at inbound traffic to a web server, where this is more a review of outbound traffic.
We aren't using squid because we haven't figured out how to get it to work in a fail over mode. With the asymmetric bandwidth connections we have some things that always go in/out over the 3Mb/s (like email) but we want the web stuff to go out over the 17Mb/s connection, unless it is down, then we want it to fail over to the 3Mb/s connection, and that is something we haven't figured out how to configure.
The other thing about this setup is that we'd like to watch for non-web traffic as well. We'd like to see what outbound connections are being made (chat clients, ssh…..). The primary usage is to watch for rogue activity. Something to help that activity raise a red flag……
Best Answer
If you want to monitor traffic for security reasons and alert based on this the tool for this is called a Intrusion Detection System (IDS).
A popular tool for this is Snort. You can run it on Windows or Linux (and maybe BSD?). I would put this is on a separate machine. It could then sniff the WAN traffic by having your switches run Mirror Ports for each of the WAN connections.
So WAN connections go through your switches (Probably in their own VLAN) and each has a mirror port. These Mirror ports are plugged into your IDS box so the IDS sees a copy of all the WAN traffic. If the IDS sees something funny in the WAN traffic it will send you an alert.