How can I Big Brother a user's computer?
December 8, 2005 1:10 PM   Subscribe

I'm a sysadmin, and I've been asked to check the browsing habits of a particular employee. We don't use a proxy, but all traffic is routed through a PIX firewall. What's the best way/software to do this?

I have my PIX logs going to a syslog server, but the logs track based on IP address, and not the URL Name. Is there a solution which will do log analyzing and reverse DNS lookups? Will reverse DNS even be feasible, with all of the shared hosting sites out there? I don't want to install a keylogger or tracking program on the computer, nor do I want to setup a proxy server if I don't have to. Do I have to?
posted by stovenator to Computers & Internet (21 answers total)
No, reverse DNS on the IP addresses will be next to useless.

You can setup squid in transparent proxy mode, and then configure a rule in the firewall to send all port 80 traffic for that one user through the squid box. Yes, it's a proxy, but since it's in transparent mode you don't have to change anything on the end user's machine nor would they ever know they were being proxied.
posted by Rhomboid at 1:33 PM on December 8, 2005

What method do users use to authenticate themselves? I.e. are you running a Novell shop, or what?
posted by SpecialK at 1:38 PM on December 8, 2005

Response by poster: specialk - Nope, no Novell. Just a standard Windows Domain (Active Directory). I know I can use group policy to make proxy changes, but I'm trying to keep from doing that.
posted by stovenator at 1:46 PM on December 8, 2005

Stove, it'd be easy if you were using Novell... but I'd take Rhomboid's suggestion. Squid is easy to configure in transparent mode, it truly is transparent to the user this way, and there's a lot of mature tools that you can use to track the user's web traffic with squid logs.
posted by SpecialK at 1:49 PM on December 8, 2005

If you're looking for active tracking, I can't help you. But if you want to see where this guy's been, I'd give this a try. IEHistoryView

Of course, that's assuming the user is using IE. Safe bet where I am, but maybe not so much for you.
posted by bDiddy at 1:49 PM on December 8, 2005

It's pretty easy, no proxy required:

* Poison the user's ARP cache so his machine believes that your workstation is the PIX device (or whatever the next hop from him is supposed to be)
* Run tcpdump (or ethereal, if you're lazy) on all the traffic coming from his machine
posted by cmonkey at 2:00 PM on December 8, 2005

I'd go with bDiddy's solution -- for one user, it's probably easier just to be a'lookin' at their IE/Firefox/etc history than futzing with your firewall or adding (potential) security issues by putting a proxy box outside your firewall.

Of course, setting up a squid proxy would be good experience ;)
posted by coriolisdave at 2:04 PM on December 8, 2005

bDiddy - the company is called winternals so i think you can assume they run windows.
posted by andrew cooke at 2:05 PM on December 8, 2005

You could run ethereal and filter down by his MAC address and port 80/443. It's not the cleanest logging in the universe but it's pretty easy.

Make sure your switch shows you his traffic at whatever point you plug into, of course.
posted by phearlez at 2:08 PM on December 8, 2005

Response by poster: The PIX, unfortunately doesn't actually route, so I can't specifically point port 80 traffic to a transparent proxy. I can assign a different external IP address to the internal NAT, but I'm not sure that's a good idea.

We may just go with IE history.
posted by stovenator at 2:16 PM on December 8, 2005

Don't Pix logs show the URLs of web traffic if you set the logging level high enough?

I just checked... yep, they do. If you're storing your pix logs somewhere that can handle the volume, just change your logging trap level to debugging, and it'll record every URL that anyone visits.
posted by agropyron at 2:28 PM on December 8, 2005

Response by poster: It keeps the URL, but (and this may be dependent on the version of PIX) it only keeps the IP address, not the DNS name.
posted by stovenator at 2:29 PM on December 8, 2005

You even said that in the more inside. I got too excited, sorry.
posted by agropyron at 2:31 PM on December 8, 2005

throw a linux box on the lan and get urlsnarf, part of the dsniff package.
posted by duckstab at 3:00 PM on December 8, 2005

I don't suppose you could post a followup, letting us know what the guy has been looking at, could you?
posted by StickyCarpet at 3:25 PM on December 8, 2005

It keeps the URL, but (and this may be dependent on the version of PIX) it only keeps the IP address, not the DNS name.

Which is why ethereal will do the trick for you. Any browser currently in use supports HTTP 1.1 which will include the host: line. So if you capture all outbound HTTP requests the packet will contain this information.

I'd be somewhat suprised if there aren't some scripts out there to an ethereal cap into readable data on this count. It's a pretty common desire.
posted by phearlez at 4:55 PM on December 8, 2005

There is a Windows program out there that will automatically snarf and parse ethereal caps into human-readable streams. In realtime, no less. It'll even sort them by port, datagram type, source or destination *or* program/source.

(IE, IMs can be threaded together, HTTP-browser sessions can be sorted and threaded together, even bittorrent streams can be grouped, parsed and threaded together. IRC, whatever. It jus intelligently senses the source and destination IPs, what port it's on, what sort of packet it is and automagically parses the cleartext or plaintext out of the wrappers and shows you what's up.

Of course none of this is helpful, 'cause I can't remember WTF it is. Scary program, though. Neat.
posted by loquacious at 6:52 PM on December 8, 2005

Sniff the inside port of the PIX using a span.

Setup a snort box. It's not hard to do. Remove all the rules that you don't care about. Install BASE to keep track of the alerts.

Barring that, write a script that parses the PIX syslog file and does a reverse DNS lookup on the IP. The UNIX "cut" utility should get it into a format you need. SED would work as well, but I'm not proficient in that.

It's probably a good idea to setup a snort box, though. You'll have this same question again in two months.
posted by lowfi at 6:50 AM on December 9, 2005

First things first: You can set a Pix to resolve IP addresses in its logs to hostnames. But let me stress in all caps: NO ONE DOES THIS. Pixes take such a performance hit doing this that no one does it.

Second there are quite a few nice solutions in this thread. Regarding setting up a proxy (whether it's squid or any other), where you were worried that you couldn't have the Pix do the routing to the Proxy. What you really need to do is set the user's browser to point to and use the proxy.

That being said, setting up a proxy is probably overkill for what you need to accomplish. If you are only concerned with logging one user and don't think you'll have to do this again, I'd go with phearlez and others suggestions of simply sniffing his traffic, if you have the disk space for it.

This last solution is both free and easy if you are already familiar with something like ethereal.
posted by poppo at 8:34 AM on December 9, 2005

EtterCap will do ARP poisoning for you, allowing you to snoop connections, even on a switched LAN.
posted by kableh at 8:46 AM on December 9, 2005

you guys make it so hard, I would suggest just running 8 hours of VNC feeding into a slideshow every 3-5 seconds. you would get a record of most of his browsing, and not network related activity as well.
posted by Megafly at 4:24 PM on December 9, 2005

« Older Slot cars for a 5 year old.   |   What are these bumps on the inside of my lips? Newer »
This thread is closed to new comments.