Home > Step 4: Peek into your network traffic
Step-by-Step Guide:
EMAIL THIS LICENSING & REPRINTS

Step 4: Peek into your network traffic

09 Oct 2006 | By Kevin Beaver, CISSP

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

Peek into your network traffic

Perhaps the easiest way to determinenr if any nefarious behavior is taking place on your SQL Server is to see how it's talking on the network. If you have a network analyzer you're comfortable with, you can start rooting out what's going on in just a minute or two. You can load your analyzer on the SQL Server itself or have it connected elsewhere to a span or mirror port on your Ethernet switch.

My favorite network analyzer, EtherPeek, can be used like most other analyzers to capture packets going to or from your SQL Server. As shown in the figure below, some traffic running over TCP port 12345 (a common NetBus Trojan port) is discovered.

EtherPeek can easily capture network traffic highlighting Trojan behavior – in this case capturing NetBus traffic

You can actually create your own network analyzer triggers and filters if you know what to look for. A good listing of common Trojans and their associated ports can be found here. This method of rooting out malicious traffic isn't foolproof since port numbers can often be changed, but it serves as a good starting point.

You can run Ether Peek in 'monitor' mode to let it glean a bird's eye view of what's taking place on the network – without having to capture packets. You can view which protocols are in use as well as look for heavy traffic, odd hosts communicating, and other network trends to/from your SQL Server system. This is demonstrated in the following screenshot.

EtherPeek's monitor mode can highlight network trends such as Trojan communications you wouldn't otherwise know about


Test for a Trojan horse on your SQL Server

 Home: Introduction
 Step 1: Scan your SQL Server for malware
 Step 2: Look in the memory
 Step 3: Look at open ports
 Step 4: Peek into your network traffic
 Step 5: Approach with a malicious mindset


ABOUT THE AUTHOR:   
Kevin Beaver
Kevin Beaver is an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC. He has more than 18 years of experience in IT and specializes in performing information security assessments revolving around compliance and IT governance. Kevin has authored/co-authored six books including , Hacking Wireless Networks For Dummies, and Securing the Mobile Enterprise For Dummies (all by Wiley), as well as The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver ~at~ principlelogic.com.
Copyright 2006 TechTarget


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


RELATED CONTENT
SQL Server security
FAQ: How to troubleshoot and grant SQL Server permissions
Secure SQL Server from SQL injection attacks
How insiders hack SQL databases with free tools and a little luck
Sarbanes-Oxley compliance checklist: IT security and SQL audits
SQL Server source code analysis and management adds database security
Ten common SQL Server security vulnerabilities you may be overlooking
SQL Server 2008 security and compliance features reduce security risks
Get your SQL Server security goals in order
How secure is your SQL Server network design?
Creating a SQL Server user authentication schema

SQL Server performance and tuning
SQL Server errors, failures and other problems fixed from the trenches
SQL Server database design disasters: How it all starts
Can you shrink your SQL Server database to death?
Parent-child dimensions in SQL Server 2005 with Analysis Services MDX
SQL Server database design disasters: What not to do
Tuning SQL Server performance via memory and CPU processing
Troubleshoot Web service issues in SQL Server 2005 Reporting Services
Ordering the results of a SQL query
Configuring SQL Server with a changed computer name
Change data capture in SQL Server 2008 improves BI reporting accuracy

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
data corruption  (SearchSQLServer.com)
data hiding  (SearchSQLServer.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


HomeNewsTopicsITKnowledge ExchangeTipsAsk the ExpertsMultimediaWhite PapersIT Downloads
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2005 - 2008, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts