Pattern detection in a remote LAN environment (EN)

PATTERN DETECTION IN 
A REMOTE LAN ENVIRONMENT
IPOLE PROJECT
BRUNO VALENTIN
A minor thesis submi.ed in part fulﬁllment of the degree of M.Sc. in Forensic
Compu<ng and Cyber Crime Inves<ga<on with the supervision of Dr. Pavel GLADYSHEV.
School of Computer Science and Informa<cs
University College Dublin
August 2008

Table of contents
1 INTRODUCTION...................................................................................................................................................5
1.1 Background...........................................................................................................................................................5
1.2 Needs and requirements......................................................................................................................................6
1.3 Selected approach................................................................................................................................................7
1.4 Summary of achievements...................................................................................................................................9
2 BACKGROUND...................................................................................................................................................10
2.1 Internal versus external intercep<ons................................................................................................................10
2.2 Ac<ve and passive monitoring............................................................................................................................12
2.3 Deep Packet Inspec<on......................................................................................................................................15
2.4 Recording of just ﬁltering the traﬃc?.................................................................................................................17
2.5 Delivery of the data............................................................................................................................................17
3 PROBLEM STATEMENT.......................................................................................................................................19
3.1 What is the problem and why it needs to be solved..........................................................................................19
3.2 Exis<ng solu<ons ...............................................................................................................................................22
3.2.1 Niksun NetDetectorLive...............................................................................................................................22
3.2.2 Qosmos Qwork............................................................................................................................................23
3.2.3 Blueye project.............................................................................................................................................24
3.2.4 Drawbacks of exisAng soluAons..................................................................................................................24
3.3 Requirements......................................................................................................................................................26
3.3.1 reliability.....................................................................................................................................................26
3.3.2 FuncAonaliAes.............................................................................................................................................27
3.3.3 Flexibility.....................................................................................................................................................28
3.3.4 Speed...........................................................................................................................................................29
3.3.5 Security........................................................................................................................................................30
3.3.6 Cost.............................................................................................................................................................32
3.3.7 Legality........................................................................................................................................................33
4 ADOPTED APPROACH........................................................................................................................................34
4.1 Overview of overall architecture........................................................................................................................34
4.1.1 The central server........................................................................................................................................35
4.1.2 The probes...................................................................................................................................................37
4.2 Se_ng up SMS and Email accounts to receive alerts.........................................................................................40
4.2.1 TelecommunicaAon operator......................................................................................................................40
4.2.2 Email‐to‐SMS providers...............................................................................................................................42
2 of 124   B. VALENTIN – MSC DISSERTATION

4.3 Installa<on of the central server.........................................................................................................................43
4.3.1 Technical choices.........................................................................................................................................43
4.3.2 InstallaAon of Debian Etch on the central server........................................................................................44
4.3.3 CompleAon of the RAID configuraAon........................................................................................................47
4.3.4 Basic system configuraAon.........................................................................................................................49
4.3.5 Virtual Private Network Server and CerAficaAon authority........................................................................51
4.3.6 Web pages compression and installaAon of a Web Proxy..........................................................................55
4.3.7 Logging of alerts.........................................................................................................................................59
4.3.8 Monitoring the probes................................................................................................................................61
4.3.9 Backups.......................................................................................................................................................64
4.3.10 Securing the server....................................................................................................................................65
4.3.11 The Graphical User Interface....................................................................................................................68
4.4 Installa<on and configura<on of a probe...........................................................................................................70
4.4.1 InstallaAon of a Linux operaAng system on the probe...............................................................................70
4.4.2 Password se[ng.........................................................................................................................................71
4.4.3 SSH public key exchange.............................................................................................................................72
4.4.4 Network configuraAon ...............................................................................................................................72
4.4.5 Repositories se[ngs...................................................................................................................................74
4.4.6 DeacAvaAon of useless services..................................................................................................................74
4.4.7 Security Hardening......................................................................................................................................75
4.4.8 Virtual Private Network client.....................................................................................................................76
4.4.9 Syslog configuraAon....................................................................................................................................78
4.4.10 Transparent redirecAon of HTTP requests via proxy server......................................................................79
4.4.11 Event detecAon.........................................................................................................................................79
4.4.12 ConfiguraAon for automaAc on‐site installaAon......................................................................................82
4.5 On‐site installa<on of a probe............................................................................................................................82
4.5.1 ConfiguraAon of the probe..........................................................................................................................82
4.5.2 Is the probe connected ?.............................................................................................................................83
5 DESCRIPTION OF RESULTS.................................................................................................................................85
5.1 transparency of the probe..................................................................................................................................85
5.2 Direct HTTP connec<on without proxy redirec<on............................................................................................86
5.3 Indirect connec<on to the server (redirec<on via Proxy server)........................................................................89
5.4 Common Webmail sites......................................................................................................................................92
5.5 Instant messaging...............................................................................................................................................99
5.6 Alerts issued......................................................................................................................................................101
5.7 Assessment of the performance in a real situa<on..........................................................................................103

5.7.1 DescripAon of the experiment...................................................................................................................103
5.7.2 Results of this experiment.........................................................................................................................105
5.7.3 Conclusion of the experiment...................................................................................................................106
6 EVALUATION AND DISCUSSION OF RESULTS....................................................................................................107
6.1 Project achievements.......................................................................................................................................107
6.2 Future work.......................................................................................................................................................110
6.3 Fields of applica<on..........................................................................................................................................111
6.4 Comparison with commercial intercep<on / protocol analysis systems..........................................................113
7 LIST OF REFERENCES........................................................................................................................................117
8 APPENDICES....................................................................................................................................................119
8.1 Automa<c on‐site installa<on script.................................................................................................................119
8.2 OpenVPN client configura<on file sample........................................................................................................119
8.3 Configura<on files for the backup procedure...................................................................................................120
8.3.1 backup.sh..................................................................................................................................................120
8.3.2 backup.incl................................................................................................................................................121
8.3.3 backup.excl................................................................................................................................................121
8.4 Firewall scripts..................................................................................................................................................122
8.4.1 on.sh..........................................................................................................................................................122
8.4.2 off.sh.........................................................................................................................................................124

1 Introduc<on
1  Introduction
As they have fully understood how useful computers and networks can be in the scope of their criminal
ac<vi<es, offenders now tend to widely use new technologies. Obviously, because of their illegal
business, one of their main concern is to remain anonymous and hidden, not to be iden<fied and
arrested by Law Enforcement Units.
Internet cafes are providing a public access to everyone who needs to be connected for a short period of
<me or who has no personal Internet connec<on. Depending on the countries, the legisla<on regarding
the regula<on of cyber cafes is ohen loose. In contrast with the Internet Service Providers , they are
ohen not compelled to be in compliance with the legisla<on related to the reten<on of the connec<on
data and they are not obliged to iden<fy their customers either.
Considering this, offenders ohen use Internet cafes to commit their illegal acts, thinking that they will be
protected by a substan<al anonymity. As a ma.er of fact, even if the Police unit in charge manage to
subsequently iden<fy the owner of the public IP address from which the offense was commi.ed,
determining formally which customer perpetrated it is impossible. Most of the Internet cafes don't keep
any informa<on about their customers and don't provide any way to iden<fy subsequently a person who
used a worksta<on. No video recording exists except for security purpose. 
1.1  Background   
Over the past few years the French Police had to deal with some cases of kidnapping in which people
were abducted and the perpetrators asked the family for a ransom. Concerned by anonymity, the
criminals were using Internet cafes to communicate with the family of the hostage. They created an
email account on one of the common webmail sites available on the Internet and then used this account
to send emails to the rela<ves of the vic<m.
As the discussion was going on between the kidnappers and the family, the Police tried to track down
the criminals many <mes without succeeding. As a ma.er of fact, since offenders were using a set of
internet cafes to connect the webmail, the Police had to perform several opera<ons prior to being in
posi<on of arres<ng them. 
First of all, they had to analyze the full header of the electronic mail sent to the family to get the public

1 Introduc<on
IP address of the Internet connec<on from which it originated. Then they had to contact the appropriate
Internet Service Provider to perform the iden<fica<on of the IP address in order to be able to locate the
Internet cafe. This second opera<on was really depending on the ISP used and its quickness to answer to
the official requests sent by the Police. 
Once the loca<on of the Internet cafe was iden<fied, the Police could go to this place to carry on their
inves<ga<on. Of course, the kidnappers had leh a long <me before they arrived. Since they didn't know
which computer of the cyber cafe was used to send the email, they had to perform an exhaus<ve
forensic analysis of every worksta<on. But most internet cafes had ohen more than 20 computers
connected. 
Each <me they had to write to the family or to get the replies to their own emails, the offenders went in
a different cyber cafe. This procedure allowed them to cover their tracks. But since they were staying in
the same part of the city, the Police forces no<ced that, aher a while, the offenders tended to go again in
a cyber cafe visited already.
1.2  Needs and requirements   
By the <me this inves<ga<on was conducted, the only concern of the Police was to iden<fy and arrest
the perpetrators of the kidnapping urgently. it was observed that the Police had currently no way to do
that and needed a system or equipment to quickly and formally iden<fy the internet cafe as soon as the
criminals were connec<ng to their webmail account. The requirements for such a system were rapidly
iden<fied.
To avoid the constraint of going to the ISP and asking for iden<fica<on, the system had to inform the
Police of the real loca<on of the Internet cafe without relying on public IP address, pertaining to the ISP.
The alert had to be sent in real‐<me, to allow the Police officers to enter the internet cafe soon enough
to arrest the criminals whilst they were connected. Of course, since the Police officers were on the spot,
they had to be informed by a means they could use, such as mobile phone or email.
Next, as the waste of <me analyzing the huge number of computers in various internet cafes was
enormous, and since the Police wanted to pinpoint quickly the computer involved, the system had to
record the private IP address of the worksta<on as well. Obviously, focusing directly on the relevant
computer is always much faster and more effec<ve.

1 Introduc<on
In case a new email address was discovered as being used by the criminals, all the detec<on systems had
to be updated to start recognizing this new informa<on immediately. Of course, as an inves<ga<on has
usually no boundaries na<onwide, the system had to  be composed of modules that could be spread
over the whole country.
Finally, the Police unit had a constraint in terms of financial allowance. It was required that the system
was affordable enough to not exceed the limits regarding the expenses allowed for the case.
Of course some commercial solu<ons for intercep<ng network traffic existed already. They were all
provided as very expensive and cumbersome appliances. It was unconceivable to put this kind of
equipment in an internet cafe, since it was impossible to insert them in a <ny network infrastructure
without arousing the suspicion of customers. 
Also the price to pay for each of these equipments was very high. Due to the number of appliances
needed to cover all the internet cafes involved, the Police unit in charge of this inves<ga<on could not
afford spending so much money for a single case, even if it was a very sensi<ve one.
The Police rapidly came to a conclusion that no exis<ng solu<on, given their characteris<cs and prices,
were suitable for handling such issues.
1.3  Selected approach   
Since no appropriate system existed by the <me these inves<ga<ons were conducted, a solu<on has
been designed in the scope of this disserta<on with the goal of making it possible in the future to solve
this kind of cases.
The system which has been designed aims to sa<sfy the needs of the Police units every <me they come
across an offender repeatedly using internet cafes to connect the Internet with the goal of remaining
anonymous.
The selected infrastructure is composed of a set of probes linked to a central server, accessible via a VPN
tunnel. Each of the probe is actually a cheap SOHO router from Linksys, sold in every computer shop and
converted into a transparent filtering and detec<on equipment.  

1 Introduc<on
All The probes can be configured at once through a Graphical User Interface build specifically for this
project and hosted on the central server. As soon as the probes have been updated with the filtering
rules, they begin monitoring the remote local area networks of the Internet cafes where they have been
installed.
Each <me any of the probe detects a pa.ern on the network that matches a filtering rule, it reports the
detec<on to the central server which informs the local Police officers in real <me via SMS or Email
no<fica<ons.
The current approach is in fact a central one. The command and control server is responsible for
upda<ng and monitoring the probes as well as sending no<fica<ons to the Police officers in charge. A
probe has to be installed in every internet cafe used by the kidnappers, with the coopera<on of the
manager of the cyber cafe. This way, the transparent probe can filter the network flow on the LAN and
can determine which private IP address has triggered the alert.
As  every probe is connected to the central server through a Virtual Private Network tunnel, the server is
capable of iden<fying formally the probe upon its private IP on the VPN range. Therefore, the Police
don't have to rely on the public IP address of the Internet cafe to iden<fy the loca<on of the probe. As no
third party is involved in the iden<fica<on process, it can be done quickly.
Eventually, if the criminals come back to an Internet cafe they have used already, the Police will be
no<fied instantly and they will be able to arrest the offenders red‐handed.
Illustration 1.1.: Overview of network architecture

1 Introduc<on
1.4  Summary of achievements   
The current solu<on, designed for the comple<on of this disserta<on provides an effec<ve approach of
intercep<ng occurrences of interest on the remote private networks of many internet cafes. It is
currently possible to update the probes from a remote loca<on and to set new filtering rules which can
evolve constantly during the inves<ga<on.  
The probes are being monitored on a permanent basis and in real‐<me by a central server which is also
responsible for sending the no<fica<ons instantly to the Police officers upon detec<on reported by any
of the probes. All the communica<ons between the central server and the probes are fully encrypted
with SSL by the use on a VPN tunnel.
Even if the adopted solu<on has drawbacks, it could be evolved in some ways. It can undeniably be used
for solving the global issue of intercep<ng occurrences simultaneously in several remote Local Area
Networks.
This solu<on is applicable either to Internet cafes or to wireless hotspots, as long as it is plugged on the
wire which connects the local network to the internet. Even if wireless func<onali<es are disabled on the
probes, it has no impact on their ac<on since they only focus on the data transmi.ed on the wire.
From all the tests made, it emerges that this approach can allow the Police to iden<fy urgently and
without the need of a third party, the loca<on of an Internet cafe and also the worksta<on used by an
offender to perpetrate his criminal ac<vi<es. Thus, the Police unit in charge of the case  will be able to
arrest the offenders without delay.
Finally, with regards to the cost of the global solu<on, it appears dispropor<onate compared to the
exis<ng commercial or open‐source solu<ons which rely on expensive appliances to work properly.

2 Background
2  Background
As seen previously in the introduc<on, the topic of the current document is to set up a solu<on in order
to  simultaneously  intercept a set of local area networks from a remote point of view, and for Law
Enforcement needs. This kind of subject ma.er  is ohen not published or disclosed since it is considered
as   sensi<ve   by   the   private   companies   which   are   designing   on‐purpose   equipment   and   the   Law
Enforcement Agencies.
Though, some white papers have been released publicly by academic ins<tu<ons and private sector. An
overview   of   the   current   state   of   art   regarding   wire   tapping   has   been   done   to   determine   how
intercep<ons can be implemented for solving the issue exposed in this disserta<on.
The white papers and other documents found are introducing the different ways of intercep<ng
communica<ons on a IP network.   
2.1  Internal versus external interceptions   
Depending on how accessible the network is to monitor and where the wiretapping equipment can be
installed, an intercep<on process can be referred to as internal or external. 
Internal intercep<on allows the Law Enforcement Agencies to extract the data directly from the internal
networks of internet service providers [2‐1] involved in the transmission of the data of interest over the
Internet.  In this case, the whole traffic of the target is intercepted and delivered to the LEA in its raw
format. This is commonly completed using sohware or hardware sniffers capable of dealing with IP
traffic.
Of course, since it is crucial, from a Law Enforcement prospec<ve, that the target doesn't know they are
being monitored, some mechanisms must be put in place to ensure the intercep<on system remains
transparent. This means that the system has to be thought of and designed in a secure manner. [2‐1]
Unfortunately, in many developed countries, ISPs are ohen reluctant to provide access to their core
networks to the LEA. There is usually a strong opposi<on [2‐1] leading to a legal figh<ng between LEA
and service providers.
When pu_ng in place an internal intercep<on is not feasible, intercep<on must be performed at

2 Background
network  access   level   outside  the   network  of  the  service   provider.   Typically,   this  means  that   the
intercep<on material has to be connected out of the immediate target network, for instance at adjacent
networks or public network concentra<on points [2‐1]. This network pertains usually to the network
operator, as depicted on the figure below.
The systems capable of doing external intercep<ons are ohen designed and commercialised by private
companies. As performing an external intercep<on is much more complicated than doing an internal
one,   such systems tend to be sophis<cated and not officially publicised. In fact, WAN monitoring is
considerably not a simple task to complete. It must support a much wider range of network topologies
and protocols (PPP, mul<link PPP, Cisco HDLC, frame relay, ATM) [2‐2] and must be able to deal with
several levels of protocol encapsula<on.
As it was the case already in the internal intercep<on, targets must be unaware that they are under
electronic. Therefore, any no<ceable informa<on that could reveal the monitoring process should be
avoided [2‐1]. For instance, the “Traceroute” command could show a new router hop in the path from
the target to the Internet. Also, degrada<on or interrup<on of service has to be avoided as much as can
be by the use of appropriate technologies.
In conclusion, any<me it is applicable, internal intercep<on is considerably more straighporward to put
in place. Also, the content data resul<ng from this intercep<on can be filtered more effec<vely since IP
data is already and does not need to be translated prior to being analysed.
Illustration 2.1: Typical configuration for xDSL

2 Background
2.2  Active and passive monitoring   
As external intercep<ons are not very well documented publicly, the emphasis will be put on Internal
intercep<ons, which are more suitable to address the global issue stated at the beginning of this
document.
There are typically two approaches in monitoring  a network flow : the passive and the ac<ve ways.
First, the passive monitoring, also referred to as non‐intrusive [2‐2], has the ability to intercept the data
transmi.ed over a network without interfering with the flow of network traffic. This kind of topology is
said to be invisible and undetectable [2‐4] and even if the intercep<on equipment comes to fail for any
reason, the data will con<nue to flow across the network. In fact, the intercep<on equipment just has to
deal with a copy of the packets.
With a hub‐based network, each worksta<on can see the traffic transmi.ed to or from any of the other
computers connected to the same network. Hence, pu_ng in place a passive monitoring in a network
environment composed of hubs is very straighporward. As Robert Graham says in his FAQ [2‐3], Ethernet
was built around a “shared” principle: all the machines on the local network share the same wire.
Contrarily, switched networks cannot be monitored as easily. In fact, in a switched network topology, the
switch isolates the network traffic of each worksta<on and restrict the transmission to the worksta<ons
involved in the ongoing communica<on only. It means that na<vely, a monitoring equipment connected
to a port on the switch cannot see the traffic intended for another computer. [2‐2]
Illustration 2.2: Passive monitoring

2 Background
Two ways exist for solving the issue of performing intercep<ons in a switched network topology. The first
one is tapping all single segment on the switch. The second one is using a switch which comes with a
monitoring port. The monitoring port is a specific network port on the switch that provides the
equipment connected to this port with a copy of each single packet transmi.ed over the network.
Obviously, this approach is more cost‐effec<ve to solve this problem than the first one [2‐2].
In addi<on, some techniques exist to sniff the IP flow in a switched network environment by hijacking
the traffic [2‐3]. For instance, one of the most effec<ve is named Switch jamming. This technique allows
to flood a switch with a lot of spoofed mac addresses. This big amount of forged  mac addresses is
overflowing the mac address tables of the switch. That leads from the switch prospec<ve to operate as a
hub.  
Decision computer also names this type of monitoring “Mirror mode”. It is said to be the most common
mode used. This mode has to be used when the data flow in customer site is large. It is possible to
handle up to 1000 users with this kind of topology [2‐4]. If deployed in a passive mode, an IDS can
monitor the traffic without being capable of applying any modifica<on to the packets [2‐6]
Contrarily, the second type of monitoring is called ac<ve monitoring. Also named “intrusive monitoring”
[2‐2], it splits the network in two parts and allows the packets to be transmi.ed from one part to the
other while monitoring the data. Since it is usually installed in a strategic point on the network (choke
point), all the data must pass through this equipment in order to be transmi.ed to the Internet.

2 Background
This type of topology is used when the data is required to be manipulated before being transmi.ed over
the network [2‐2].  For instance, if the data has to be relayed via a transparent proxy, the ac<ve
monitoring can change the port and the des<na<on IP in real <me to hijack the packets from their
original path. Again, it is also recommended to deploy the equipment in a way that its existence is
hidden from the other devices connected to the network [2‐6].
This <me, decision computer suggests to use this topology they name “bridge mode” to monitor the
ac<vity of a group composed of up to 200 users [2‐4]. NetOp<cs underlines that the devices deployed
“in‐line” can introduce excessive latency due to internal processing [2‐6]. Moreover, if the whole traffic
flows through a single device, it needs to be  capable of dealing with all the packets in real‐<me. For
instance, monitoring a gigabit backbone though a spanned 100 megabit port is impossible since not all
the packets will be seen by the device [2‐6].
Depending on the case, passive or ac<ve monitoring can be adopted accordingly [2‐6]. Most of the <me,
the monitoring equipment is deployed at the enterprise firewall in order to intercept the whole traffic
coming from and going to the Internet. However, the selected topology must be able to absorb the
whole network flow under all condi<ons and ensure the network reliability and availability. To be fully
func<onal, the IDS must be able to access the network in full duplex and full‐bandwidth.
Illustration 2.3: Active monitoring

2 Background
2.3  Deep Packet Inspection   
The key concept of monitoring communica<ons in an IP network is how deep the intercep<on process
will dig into the packets in order to inspect them.
Intercep<ons can be performed at different layers of the OSI model. Layer 2 and 3 monitoring systems
are commonly referred to as “protocol analysers” [2‐2]. 
However, most common E‐mail or webmail services such as Hotmail and Yahoo are offered by service
providers instead of network operators. Network services are focused rather on layers 6 and 7 which are
a bit higher in the IP OSI model. [2‐1]. 
Therefore, according to Thomas Porter [2‐6], it is important to dis<nguish between the different depths
of packet inspec<on :
Shallow packet inspec<on [2‐6, 2‐8] is the tradi<onal way of examining the packets, usually in a firewall
located at the boundary of a corporate network. Shallow packet inspec<on is performed at a choke point
(a point between two networks where all the packets must pass) .  It usually provides network address
transla<on, logging, and  basic filtering based on IP and ports. 
Since it only extracts basic protocol informa<on, Shallow packet inspec<on deals with the headers and is
insufficient to operate filtering of applica<on‐related data [2‐8].
Deep packet inspec<on is the most advanced technology for iden<fying applica<on data carried by IP
packets [2‐7]. It digs deeper in the content of the packet by analysing the header of each layer and the
payload carried by each packet. In a sense, one can say that DPI is more applica<on aware [2‐8].
Illustration 2.4: Shallow packet inspection - data from packet headers

2 Background
If a non standard applica<on uses a standard port such as port 80 to exchange data, deep packet
inspec<on will be able to determine it whereas shallow packet inspec<on will just no<ce that port 80
(supposed to be HTTP) is used.
For instance, a lot of applica<ons use standard protocols (HTTP) to transmit the content data. DPI allows
to dis<nguish between the genuine HTTP traffic and the other applica<ons using HTTP as a vector of
transmission [2‐6].
Deep packet Inspec<on na<vely examines each packet and applies some predefined filtering rules to it.
Depending on its content, the packet can match with a rule and can be accepted or rejected. The rules
can be based for instance, on signature or regular expression matching. [2‐6]. DPI allows any string of
bytes contained in the packet to be compared with the rules database in order for the IDS to make a
decision.
IDS sohware looks for pa.erns outside from the defined policy. One of the most commonly used IDS is
called snort. Snort allows the user to define par<cular condi<ons that generate alarms upon detec<on of
known pa.erns such as keywords. 
In his paper, Dr Thomas Porter also indicates that the signature database must be easily updatable since
it is dynamic [2‐5]. Indeed, since the strings the IDS has to search for can change during the intercep<on
process, it is important that new strings can be appended to the signature database. For instance, the
program called I‐Watch, the FBI used in 1996 , could be programmed to capture connec<ons that
contained a par<cular keyword [2‐7]. 
The length of the packets can differ, depending on the total payload they are carrying. Therefore, since it
is   impossible   for   the   IDS   to   know   precisely   where   to   get   the   strings   to   compare,   it   can   be   a
Illustration 2.5: Kazaa string match analysis

2 Background
computa<onally expensive task to search through the packet for matching strings [2‐5]. 
In conclusion, Deep Packet Inspec<on is a promising technology, now implemented in appliances
manufactured by the most popular vendors such as Microsoh, Cisco and Checkpoint. Combining Firewall
and IDS in a single equipment eases the configura<on and the management of the system [2‐5].
The Deep packet Inspec<on is mandatory for an intercep<on system to be capable of analyzing the
payload of an IP packet to a level necessary to intercept ‐ for example ‐ accesses of a par<cular user to a
par<cular web mail service.
2.4  Recording of just Oiltering the trafOic?   
Depending on the type of intercep<ons to put in place, one ques<on arises. Is it necessary to record and
store all the data or  is it sufficient to just filter them ?
Simson Garfinkel defines an approach that he calls “catch it as you can” [2‐7]. It describes the process of
recording every type of packet transmi.ed through the intercep<on system. Since it immediately writes
the data to the disk and perform analysis aherwards, this approach requires to use large disks, usually
configured as RAID systems.
Another way of filtering the data is the approach called “stop, look and listen” [2‐7]. It consists in
analyzing the content data in real‐<me as it flows over the network and record the relevant packets only.
As a consequence, large disks are not required any more, but analyzing the packets on‐the‐fly can take
much computa<onal resources again. This approach was introduced in the 1990s by Marcus Ranum and
used to be employed in the FBI wiretapping system called “Carnivore”.
Anyhow, the hardware selected for comple<ng the task of intercep<ng the data, mainly depends on the
size of the network to monitor. For instance, a 66MHz 486 computer is enough to capture the packets on
a 384Kbps DSL link whereas a much bigger computer would be required to do it on a fully‐loaded gigabit
network [2‐7].
2.5  Delivery of the data   
How the intercepted data has to be delivered to the Law Enforcement Agencies is defined in the ETSI
standard and CALEA (Communica<on Assistance for Law Enforcement Act). 

2 Background
Clearly, the delivery of data must ensure that the flow has been securely transmi.ed by taking care of
the following func<ons : Authen<ca<on, Confiden<ality, Integrity, and Non‐repudia<on. For the data to
be transmi.ed securely, Aqsacom recommend to use dedicated circuits or a Virtual Private Network
circuit over the public Internet [2‐1].
Internet is not a safe place to transmit confiden<al data. Most of the informa<on is transmi.ed in clear
text, with no protec<on. Since the data resul<ng from an intercep<on is always very sensi<ve, sending
them over a public network as Internet must be avoided.
Dedicated circuit is the most secure link because the line is dedicated to the communica<on between
Law Enforcement and the ISP that is doing the intercep<on. Since this dedicated link has to be leased,
the result is a higher cost for the LEA.
It is strongly recommended to use a Virtual Private Network [2‐1] over the Internet to transmit the data
as it can take care of all the required func<ons with no addi<onal cost for the LEA. In this case, a secure
tunnel is build between both the LEA and the en<ty performing the intercep<on. All the data are
transmi.ed though this encrypted path. [2‐9]

3 Problem Statement
3  Problem Statement
3.1  What is the problem and why it needs to be solved   
Nowadays, the new technologies are widely used by criminals to exchange informa<on (terrorism,
organized crime) or to stay in touch with their vic<ms (blackmailing). Computers are everywhere and
oﬀenders now have the skills to use them for their criminal ac<vi<es, whatever they are.
When these people have to send emails they know that doing this from an Internet cafe is a good way to
remain anonymous and to ensure that they won't be traced back. Anonymity is one of their main
concern. 
Furthermore, they are aware that going repeatedly in the same internet cafe may compromise them.
Indeed, the Law Enforcement unit in charge of the case can determine where the mail was sent from by
analyzing the header of the email. If the unit  gets the reply to the legal request sent to the ISP, it will be
able to arrest the perpetrator the next <me he comes to this internet cafe. 
For this reason, criminals tend to be roaming between several internet cafes, in order to confuse the
Police. But they are usually visi<ng the same ones, ohen located in the same area of the city. Most of
them do not select a new loca<on each <me they have to connect the Internet. Aher a while, they tend
to go again in a cyber cafe visited already. Not all criminals commit their crimes from big ci<es in which a
good deal of Internet cafes are located. Some of them also operate from smaller towns. They don't have
as many possibili<es when they are roaming between Internet cafes.
Most of the <me, the managers of the internet cafes agree to cooperate. It's not that common to face an
inves<ga<on case in which even the internet cafe is involved and should be considered as an accomplice
of the suspect.
Changing internet cafe for each connec<on to the Internet means that the public IP address used by the
perpetrator is changing all the <me as well. The criminals are aware of this fact too.
In the cases in which there is a need of communica<on between criminals and their vic<ms (e.g.
kidnapping), there are very frequently several exchanges of emails between both the two par<es. It is
ohen a game of ques<ons and answers in which the Police get many IP addresses involved.

Some Internet cafes are open to the customers 24 hours a day. As suspects are liable to connect the
Internet any<me, it is hardly conceivable to think about having a police officer in front of each cyber cafe
all the <me. 
Of course, one can be thinking of pu_ng all the Internet cafes under monitoring. Unfortunately, such
internet   intercep<ons,   whether   on   the   core   network   of   an   ISP   or   locally   in   the   facili<es   of   a
telecommunica<on operator are very expensive and require much efforts to analyze the whole traffic.
Indeed, tradi<onal Internet intercep<ons are recording the whole traffic coming from and going to a
specific target. It would be useless if the only aim is arres<ng the perpetrator. Further computer
forensics will prove he was using the computer for criminal purposes by the <me he was arrested and
will determine what he was exactly doing.
Internet cafes are some<mes the only loca<on where the perpetrator can be arrested. If the criminal is
careful and takes all the precau<ons not to be iden<fied, he never connects the Internet from another
type of internet access. That ensures that no personal IP address will be recorded in the log files or in the
mail headers of the vic<m.
Furthermore, from Law Enforcement prospec<ve, arres<ng a suspect while he is commi_ng his crime,
with his hands on the computer is the best way to get undeniable evidences of his culpability and thus to
prove he is really involved. Unfortunately, arres<ng a criminal in such condi<ons is not that easy. 
Indeed, many major problems come up, due to technical restric<ons or misappropria<on of the law.
Depending on the countries, no legal provision exist with regards to the public access to the Internet
offered by private companies.
In France for instance, Internet cafes are not obliged to comply with any legisla<on with regards to the
iden<fica<on of their customers. 
The managers of the Internet cafes are not compelled to ask people for their iden<ty and even if they
do, they are not obliged to keep any track of it. It means that if the Police come across an IP address
allocated to an Internet cafe by the <me the offense was commi.ed, they cannot simply go to the
manager and get the list of the people who were using the computers. From a Law Enforcement
prospec<ve, this is a big issue as no subsequent iden<fica<on can be done. The suspect has to be
iden<fied and arrested in real‐<me.

Very ohen there is no camera installed in the Internet cafes. Even if there are, they are used for security
purpose only and no video recording exists. Again, it is a constraint for the Police to subsequently
iden<fy a suspect. If the Police officers can iden<fy the Internet cafe the connec<on was established
from and even the worksta<on used, they won't by able to get any picture or video of the criminal.
Moreover, most Internet cafes are linked to the Internet via a broadband connec<on with a dynamic IP
allocated.  Depending on  the  ISP,   it can  take  much <me  ge_ng  a  reply to  the  legal  request  for
iden<fica<on sent. Some of them tend to reply not rapidly enough to fit the constraints imposed by a
criminal inves<ga<on. If the case is about kidnapping for instance, it is crucial that the loca<on the
connec<on is origina<ng from is iden<fied urgently.
Furthermore, when the Police receive the reply from the ISP iden<fying the Internet cafe involved,
obviously only the public IP is iden<fied as this is the only informa<on the ISP knows of. Some internet
cafes are equipped with a huge number of worksta<ons. Every computer is using a private IP and the
traffic is routed to the Internet through the public IP of the router/gateway. 
Internet cafes usually have a basic network infrastructure. They are not equipped with a filtering and
logging appliance such as a proxy server.   A proxy would allow the Police to make a correspondence
between the requested URL and the private internal IP address of the worksta<on on which it was
requested. For instance, if the Police know that the suspect was using Yahoo webmail at a specific
moment, they could analyze the logs of the proxy and make a selec<on of all the computers connected
to this web site at the <me the connec<on occurred.
As it is some<mes impossible to guess which worksta<on was used, it can take a considerable amount of
<me analyzing every computer in a forensic perspec<ve. It can take <me also searching for keywords on
every hard disk to determine which one contains the evidences related to the criminal ac<vi<es of the
user.
Some<mes it is not even possible, as some Internet cafes are equipped with an auto re‐installa<on
process that restores a generic system image on the hard disk when the client logs off. In some cases, the
whole system is virtual and runs completely in memory. It is even more complicated to find digital
evidences if the computer is examined subsequently.
All these technical and judicial issues make the inves<ga<on longer and more complex than it should be
in an ideal world.

Nonetheless, some solu<ons can be thought of to ease and make it quicker to iden<fy and arrest a
criminal connec<ng the Internet from Internet cafes.
3.2  Existing solutions      
3.2.1  Niksun NetDetectorLive   
In terms of network detec<on, a private company named Niksun provides an autonomous appliance
allowing to monitor both the incoming and outgoing network flows in real‐<me.
This equipment called NetDetectorLive (tm) can capture the network traffic and simultaneously search
for non‐authorized pa.erns in transmi.ed packets with regards to the internal policy of a company.
The main purpose of this equipment is to be used in the scopes of intellectual property protec<on and
outbound content control. This appliance makes it possible for the administrator of a network to be
informed in real‐<me of policy viola<ons, par<cularly about sensi<ve content like R&D and financial
informa<on for instance.
Although it has not been designed specifically as a lawful intercep<on product, this equipment includes
some of the func<onali<es that could be required to address the problem described in the previous
chapter. 
NetDetectorlive provides real <me archiving of data and allows reconstruc<on of the content in its
context aherwards. For instance, it can store all email messages or instant messages for a later search.
Furthermore, it is capable of categorizing and reconstruc<ng most of the standard protocols sessions
(smtp, pop, imap, web, instant messaging, hp , p2p) as well as intercepted documents transmi.ed
through the network (office documents,  text files, PDF files, embedded images).
Each <me an incident is detected on the network an event is generated and an alarm is issued. Detected
incidents are logged in a database to allow subsequent filtering and analysis.
Illustration 3.1: NetDetectorLive Appliance From Niksun

The appliance comes with a graphical user interface installed. Hence the user can add new rules without
deep knowledge in terms of computers and networks. This GUI is accessible remotely over HTTP and
HTTPS.
Therefore, as it is constantly audi<ng the traffic and as it is capable of looking up for a specific content
based on rules, it could be a poten<al solu<on to the overall problem of detec<ng strings in the network
flow and issuing alerts upon detec<on.
3.2.2  Qosmos Qwork   
Qwork appliances from Qosmos are designed to recognize and classify traffic flows and to extract
valuable informa<on in real <me. 
Designed for private companies, the ini<al aim of these probes is content classifica<on. The proprietary
technology developed by Qosmos and installed on this kind of appliances records the whole traffic of an
IP network and stores it in a database for further processing.  
It is capable of recognizing almost any kind of protocol from layers 2 to 7 (P2P, web services, chat, mail)
and discovers all applica<ons and usages of the network as well as it can perform sta<s<cs in real‐<me. It
can extract business‐cri<cal data from live flows at network speed.
These appliances, which are said to be transparent on the network, can perform measurements on
network streams from 2Mb/s to 2x1Gb/s and build reports in a dashboard. Upon events, the probe can
also generate alarms.
The equipment, sold as a 1U case, can be configured through a Graphical User Interface that allows to
manage the various func<onali<es of the probe. 
Illustration 3.2: Qwork appliance from Qosmos

3.2.3  Blueye project   
Finally, with regard to keyword based network sniffing, a project has been ini<ated by the BL7 group and
made available for download for windows and Linux under GPL2 license on their website [323‐1] .
This project called Blueye Layer 7 sniffer aims at detec<ng keywords in a high‐rate network stream
(wired or wireless links) in real‐<me. Ini<ally, this project has been designed to allow the administrators
to monitor the backbone of their private company for security reasons. For instance, it can be used in
the field of  intellectual property defense to prevent internal users to send sensitive content
outside the corporate network without being noticed.
Filtering rules can be defined and the configuration of blueye can
be changed by modifying a set of text files. So far, no graphical
user interface exists to perform this task.
As soon as user‐defined keywords are detected, this layer 7 sniffer uses
them to extract valuable and relevant informa<on, rebuilds fragmented
TCP session and stores them on the hard disk of the computer.  It can
also issue some alerts by email on relevant events.
All the logged packets are stored  as PCAP files and also indexed in a MySQL database for later
iden<fica<on and retrieval. The system is scalable to fit the needs of intercep<ng a mul<‐sites network
as well. For this purpose, it can be deployed as a distributed infrastructure composed of several front‐
ends and one back‐end which stores all the records in a centralized database.
Although Blueye is just a piece of sohware and doesn't have anything to do with hardware equipment, it
relies on ninjabox plaporms to sniff the network flow. Ninjabox plaporms are commercialized by a UK‐
based company named Endace.
Ninja plaporms are basically 3U appliances equipped with 2 intel xeon dual core CPU and 4GB of internal
memory. They come with 2 built‐in 1Gb/s network ports. They are also equipped with a RAID array
composed of eight 250GB hard drives for an overall capacity of 2TB.
3.2.4  Drawbacks of existing solutions   
The exis<ng solu<ons iden<fied have all been designed with a specific goal and for a special use.
However, they all provide some func<onali<es that are needed and useful for solving the current issue of
Illustration 3.3: blueye logo

simultaneously intercep<ng occurrences in mul<ple remote local networks. It is possible to use these
technologies in order to address the stated problem.
They all come with an alert mechanism capable of sending no<fica<ons by email upon detec<on of the
strings they are seeking for. It is very important for solving the current problem as being informed
urgently is crucial for arres<ng the perpetrator as he is connec<ng his webmail or his MSN account for
instance.
They are all transparent on the network. This is a good thing since it is also important that the customers
of the internet cafe cannot no<ce that a device is performing network analysis and IP filtering on the
local network they are currently connected to.
Due to the network equipments they are relying on, they are all capable of filtering network flows at a
network speed of at least 200Mb/s. This is a notable func<onality. However it is not required for filtering
an cyber cafe because the network connec<on of an Internet cafe is never as high.
However, despite the above benefits, all these solu<ons have some limita<ons and drawbacks that make
them not appropriate to the current situa<on. 
One of the biggest disadvantages of these three exis<ng solu<ons is the cumbersomeness of the
appliances needed to use these technologies. They all require heavy servers (over 30kgs) which are not
discreet at all and can hardly be inserted in the network infrastructure of an Internet cafe. Amongst the
requirements imposed by the current situa<on, stealth is crucial. Indeed, it is important that the
customers of the Internet cafe don't pay a.en<on to the network equipment that is doing the filtering. 
Aside from issuing alerts when some content of interest is detected, all these solu<ons are designed to
record the valuable traffic on a set of hard disks for subsequent analysis. On the one hand this
func<onality is useless for just sending no<fica<ons. On the other hand it can even be a disadvantage as
some countries have more restric<ve laws with regards to the intercep<ons in which the content of
communica<ons is being recorded. Some legisla<ons make a big difference between filtering and
recording of private communica<ons.   
Niksun and Qosmos are private companies and therefore are very sensi<ve in terms of intellectual
property protec<on. Therefore, they provide their proprietary sohware without the source code to avoid
being copied. Given the sensi<vity of the data filtered by the probes, it is dangerous to rely on a third

party to deal with the content.
As the connec<ons can occur from various internet cafes in a short period of <me, a distributed
infrastructure has to be put in place. It is important that, as soon as a new loca<on has been iden<fied, a
monitoring probe is plugged on the network to detect further connec<ons made from this loca<on.
Apart from Blueye project, the commercial solu<ons don't provide this func<onality. All the other
exis<ng appliances are provided as autonomous probes which are performing the filtering process for
themselves. 
It is also a major need to have a graphical user interface available to allow a regular user to configure the
system without specific knowledge in terms of computers and networks. This GUI should allow the
ability to add probes, loca<ons, recipients and manage the cases easily. Blueye project does not come
with a graphical user interface and has to be configured through a set of text files. 
Finally, the cost is one of the major issue encountered when Law enforcement agencies have to deal with
Internet intercep<ons. Because these equipments are very advanced in terms of hardware configura<on,
they are all very expensive and exceed the price a common Police Unit can afford for pu_ng in place an
electronic supervision of the ac<vity at an Internet cafe.  
It is barely conceivable to install one of those appliances in every internet cafe to put under monitoring.
The   global   cost   of   the   inves<ga<on   would   be   colossal.   Only   the   most   important   and   sensi<ve
inves<ga<ons would make it possible to use these kind of network intercep<ons. For this reason, and to
get more flexibility, a cheaper solu<on has to be thought of.
3.3  Requirements   
As stated, handling an inves<ga<on case in which the offender connects the Internet from a cyber cafe
leads   for   Law   Enforcement   to   face   various   issues   that   make   the   iden<fica<on   and   arrest   more
complicated. In order to take those issues into considera<on and to solve these problems, a technical
solu<on can be designed. It needs to have some specific func<onali<es and characteris<cs.
3.3.1  reliability   
Criminal inves<ga<ons are ohen very important and sensi<ve in terms of content. To avoid missing any
relevant informa<on related to the current inves<ga<on, the infrastructure need to be highly reliable.

Indeed, how efficient would be a system that Law Enforcement Agencies would not be able to trust ? 
As criminal ac<vi<es occurs 24 hours a day, the L.E.A. should be able to use this solu<on on a permanent
basis. As a consequence the solu<on has to remain online all the <me.
To ensure that no power outage will have a nega<ve impact on the availability, the central server must
be supplied by a UPS. This device will provide the computer with electrical current even if the main
power supply fails. It will also prevent the file system from being damaged if the computer is stopped
suddenly.
As the system has to stay online all the <me, it should be able to afford the loss of a storage device. That
means that this computer needs to maintain a real‐<me copy of the main hard drive. If one of those two
disks comes to fail, one will be s<ll opera<ng and the whole system won't be stopped.
It is also important to have a strong backup policy. Even if the file system is protected against the physical
loss of one disk, maintaining a real <me copy also means that the sohware errors are replicated as well.
A good backup policy allows the user to restore previously exis<ng data. It is useful when a file has been
erased or modified by mistake for instance. 
With regards to the network connec<on, a sta<c IP address is a necessary requirement for this kind of
project. Indeed, as the system has to be reachable on a permanent basis, it is faster and safer to make
sure this IP address won't change. If the computer is provided with a dynamic IP address as it is ohen the
case for broadband connec<ons, an external dynamic DNS service has to be used and this is not
appropriate in terms of reliability and confiden<ality. This system is expected to handle data related to
criminal cases. For this reason, it is safer that it relies on its own infrastructure.
3.3.2  Functionalities   
When designing an intercep<on system, one of the key point is to make it able to react in real <me to
any addi<onal informa<on encountered during the inves<ga<on.
In the current situa<on, if a new email address is found by the police officers as being used by the
offenders, it has to be added urgently to all of the probes in the various internet cafes involved.
In   a   non‐centralized   infrastructure   it   is   necessary   to   append   the   keyword   to   every   single   probe
individually. In fact it means that a Police officer in charge has to go into each internet cafe, connects to

the probe locally and applies a modifica<on to the filtering rules. 
In fact, the police officers from local police unit some<mes don't have the technical skills to handle such
computer systems. Also, it can take much <me doing that if the probes are distributed na<onwide for a
single inves<ga<on case.
To avoid this kind of inefficient process, a centralized architecture has been adopted. Actually, if all the
probes are connected to a central server on a permanent basis, one single opera<on is enough to update
them all. The modifica<on is applied to the server and this server is responsible for spreading it over the
network of probes. No ma.er how many probes are connected to the infrastructure, the <me spent by
the user won't be increased.
Since the role of the server is cri<cal in such an infrastructure, it has been decided to make the central
Law Enforcement Agency responsible for it. This is the reason of the choice of a centralized architecture
instead of a non‐centralized one in which each single probe would have been isolated.
Thus, the central part of the solu<on will be able to propagate addi<onal rules to the local modules
without delay through a secure channel. If the offender goes to another Internet cafe under monitoring
anywhere in the country, this new string will be detected immediately.
Obviously, with regards to reliability, this channel can be used in both ways. For instance, it can be used
by the central server to control the modules as well. 
As it is important that all the modules remain online and stay connected to the server on a permanent
basis, the server can be used to ensure that the probes are reachable all the <me. Therefore, a flag will
be raised up each <me a module has been disconnected for a while.
3.3.3  Flexibility   
An inves<ga<on case can be conducted na<onwide. Therefore, this central system should be able to
receive and take care of data coming from local modules located everywhere across the whole country.
These inves<ga<on can also be conducted by numerous Police officers pertaining to various unit. 
The number of Police officers in charge of a single case should not be limited. Thus, if an event is
detected by a module, the central system will be able to inform all of them simultaneously whether on

their email address or on their mobile phone.      
Likewise, as this system is designed as and expected to be a central solu<on, it should be able to handle
many inves<ga<on from more than one unit at a <me.
Indeed, this solu<on is intended to be managed by a central Law Enforcement Agency. But this unit is not
going to conduct all the inves<ga<on by itself, even if it takes care of the technical aspects. Analyzing the
content data will remain with the local unit, fully aware of the case.
Therefore, if an alert is issued, it has to be sent to the local Police officers as they have the best
knowledge of the case and they will assess the real urgency of the event.
3.3.4  Speed   
The local modules are intended to be installed in Internet cafes and other public loca<ons providing
access to the Internet. Those places are usually frequented by numerous customers during opening
hours.
To avoid these people no<ce that a detec<on module is being installed, it has to be put in place as
quickly as possible. Therefore, this module needs to be provided with an automated on‐site installa<on
procedure which eases opera<ons and shortens the <mes spent by the Police officer for installing the
probe.
Once the module is opera<onal, it should begins filtering the traffic immediately.
Currently, the only goal is arres<ng the individual commi_ng a crime. For doing this, speed is essen<al at
any stage of the process.
The traffic needs to be analyzed in real‐<me. While the inves<ga<on is going on, it would be useless to
record the data for further analysis. Exis<ng solu<ons iden<fied in a previous chapter would take care of
this efficiently. Moreover, computer forensic techniques applied to the computer this suspect was using
will reveal subsequently what he was doing when he was arrested.
But there are some significant informa<on the Police officers need to know for arres<ng the man. 
A very important one is the internal IP address of the computer that the suspect is using. As some

Internet cafes have many computers installed, it is important from a Law Enforcement prospec<ve to be
able to determine very quickly which one was used by the perpetrator.
In other words, each local modules should be able to get and report the private local IP address allocated
to the worksta<on that which the alert to be sent.
Since it is much important to enter the premises of the internet cafe as quickly as possible, the alerts
should be sent by the detec<on modules without delay.
The solu<on needs to consider this point as a primary requirement. Indeed, the aim of such a project is
not only to iden<fy the computer. The main goal of the Police officers is to arrive on <me, when the
suspect is s<ll connected to the Internet
3.3.5  Security   
The next requirement imposed by such a project is security. As it is going to take care of data related to
criminal inves<ga<on, it is mandatory that those data remain confiden<al except from legi<mate users.
No informa<on should be disclosed at any <me, either to the suspect or to the manager of the Internet
cafe under monitoring. Likewise, if the solu<on requires from Law Enforcement to rely on a third party
(hos<ng company for instance), the data should not be accessible from this external provider.
Therefore, encryp<on needs to be considered at two levels.
The first one is the security of the transmission of the data in both the incoming and outgoing ways.. 
Indeed, as the manager of the internet cafe should ignore what content is under monitoring, the local
modules should not be sensi<ve to sniffing. This is the reason why the communica<on has to be
encrypted and the data have to be sent through this secure channel over Internet instead of simply in
clear text.
Similarly, the local modules will report the alerts to the central server via this encrypted tunnel. This type
of encrypted transmission will be provided by any Virtual Private Network solu<on.
Next, encryp<on may be needed for storing the sensi<ve data on the storage device.

For instance, if the central server is hosted in the facili<es of a private company (data center), the
employees may poten<ally have access to all the computers of their customers. Even if the central server
is a dedicated computer, used by no other customer, it should not be assumed that no one will ever gain
access to the hard drives of this computer.
In fact, if one of the drives has a physical failure, the provider will replace it. But no one can guess in
advance what this hard drive will become aherwards. What will happen if the hard disk gets repaired
and is allocated to another customer ? Basic forensic technique and data carving opera<ons applied on
the drive will allow this new customer to find data related to a criminal inves<ga<on.
This would not be suitable at all in terms of confiden<ality with regards to judicial material.
Therefore, encryp<on is a possible solu<on to protect the sensi<ve data from a non‐legi<mate access.
Even if it doesn't protect them from a network access while the server is up and running, it is a good
preven<on against off‐line analysis and data restora<on techniques used directly on the hard disk itself.
For security to be increased slightly, the computer needs to be protected against illegal uses from the
network as well. Indeed, the access to the sensi<ve data should be restricted to the administrator or the
authen<cated and allowed users. The system is not intended to be a public service on the internet, open
to any user. Instead, it is expected to be a private solu<on limited to Law Enforcement Agencies.
From a technical point of view, it means that it should be protected by a firewall and that the service
should not use well known ports which are very sensi<ve to port scanning. It should be configured rather
to operate with ports that won't be guessed easily.
Another important aspect, in terms of security is the stealth of the solu<on. As said before, it is
recommended that the customers of the Internet cafe don't no<ce that the traffic is filtered and
analyzed   in   real‐<me.   Thus,   the   local   modules   used   on‐site   need   to   be   invisible   from   the   user
perspec<ve.
The modules should not appear on the path to the Internet. The users should believe they are connected
directly to the Internet, with no addi<onal hop. It will prevent unauthorized access a.empts as it will be
very difficult for the users to guess there is a probe installed and what its IP address is.
Finally, the last thing to take into considera<on in terms of security is the physical equipment itself. Even
if this module is installed with the coopera<on of the manager of the Internet cafe, it should easily be

hidden from customer view. 
Therefore, in order to remain discreet, these modules need to be composed of a small devices instead of
big computers or heavy and cumbersome appliances. This way, they can be easily included in the
network equipment of the Internet cafe without being no<ced. Furthermore, the fact that the probe has
no screen and no keyboard will prevent the manager to be tempted to access it.
3.3.6  Cost   
The cost of such a system is among the constraints of every Police unit. How interes<ng would be a
solu<on that no Law Enforcement Agency can afford because it would exceed the financial possibili<es
of the Unit ?
Indeed, the solu<on thought of in the scope of this project should be an affordable one. This will ensure
that almost every Police Unit can use it. The cheaper it is, the more widely it will be used.
Therefore, instead of being built from commercial solu<ons, this solu<on could be composed of open‐
source components so that it will not cause any unnecessary expenses. Open‐source components are
now widely deployed and reliable enough to handle such projects.
With respect to the global cost of the solu<on, it is also important that the hardware configura<on is
composed of affordable equipments. It is hardly conceivable to use hardware equipments specifically
built for this project as this tailor‐made solu<on would be an expensive one. Instead, the project could
be achieved by using standard equipments configured to fulfill the required func<onali<es.
For instance, the local modules to be installed in the Internet Cafes could be composed of exis<ng
hardware devices and not standard computers (either laptops or worksta<ons). Even if the price of the
computers has slightly decreased over the last decade, the required features can be achieved by a
cheaper type of equipment.
Furthermore, in case this equipment is robbed from the facili<es where it is installed, it won't cause the
same loss from a Law Enforcement perspec<ve. The cheaper an equipment is, the less temp<ng it is for a
thief. Also, a robber will understand very obviously what he can do with a computer, whatever it is. But
he will probably not steal an equipment that appears useless from his point of view. 

3.3.7  Legality   
Lastly, the adopted solu<on should match the legal system of the country it is deployed in. 
In order to ease the use of this system in terms of legal restric<ons, it needs to be a detec<on and
repor<ng   system   instead  of   an   intercep<on   solu<on.  This  point  is  crucial   as   na<onal  regula<ons
regarding intercep<on of  telecommunica<ons are ohen very restric<ve.
Thus this system won't record the traﬃc and won't keep any track of the user data. Only some
monitored strings will cause alerts to be issued to the law enforcement. 
This system should be a binary one. The only important point is “Is any occurrence detected or not” ? If
it is, the event should be reported urgently to the Police oﬃcers in charge of the case since the criminal
is currently connected and has to be arrested without delay.
Obviously, if the na<onal legisla<on of the country requires that the Police Unit obtains a warrant or an
authoriza<on from a judge prior to pu_ng a probe in place, this installa<on should be done with regards
to the local legal provisions.

4 Adopted Approach
4  Adopted Approach
The previous sec<ons iden<fied the issues encountered by Law Enforcement Agencies in catching a
roaming perpetrator and the func<onali<es a good system would require. This chapter defines an
approach to solve the problems that come up by building a cheap detec<on and alert system for Local
Area Networks.
4.1  Overview of overall architecture   
As the sec<on 3.3 iden<fied the necessity of building a centralized system, the solu<on is composed of
two main components. The first one, called “central server” is located on the Law Enforcement side. The
second one is iden<fied as “probe” and has to be installed in‐situ on each loca<on to be remotely
monitored. 
The key point of the selected infrastructure is the central server which has the responsibility of managing
Illustration 4.1.: Diagram of the overall architecture

the whole infrastructure. This computer has to stay in contact with the probes on a permanent basis in
order to be able to update and monitor them all on demand.
The probes are composed of regular and cheap SOHO routers which have been modified and updated
especially for this project. Each probe has been flashed to replace its firmware with a mini Linux
opera<ng system in order to be able to implement the features required for the fulfillment of this
project.
An   ordinary   computer   such   as   a   laptop   could   have   achieved   the   same   bridging   and   sniffing
func<onali<es as long as an addi<onal network card has been provided.
But with regards to the constraints on the cost of the overall solu<on, it was apparent choosing cheap
equipment, already equipped with mul<ple network cards was more appropriate.
4.1.1  The central server   
The central server is the core of this architecture. It has to perform various tasks and implement several
func<onali<es, on a permanent basis. Therefore, it is crucial that this server remains on‐line all the <me
and stays accessible by the probes all the <me.
1 Hosting
Thus, one of the primary considera<on about this server is hos<ng. Indeed, as the whole infrastructure is
organized around a central server that has to be reachable all the <me, how this computer is hosted is
essen<al for the system to work. There are actually two types of solu<ons that can be used to host such
a computer.
The first one consists in hos<ng the server in Law Enforcement facili<es. 
It requires that the link connec<ng the premises to the Internet has a high bandwidth, dedicated to this
purpose. This connec<on should be provided by the ISP with a sta<c IP address. This point is crucial
because the probes are going to use the IP address of the server as the end for the virtual private
network tunnel.
This type of hos<ng can bring privacy and security as the physical access to the server can be restricted.
It is also a cheap solu<on as a broadband access is nowadays very affordable for any unit.

Nonetheless, this type of hos<ng has some serious disadvantages. 
The server, in the scope of this project is meant to send emails to the police officers responsible for the
inves<ga<on cases. As the server has a reverse name belonging to an ISP, the electronic mails sent by a
server hosted behind this type of connec<on are very ohen classified as spam by most email providers. It
is not really suitable in the current situa<on. Of course, where is the point sending an email urgently if it
is directed in a spam folder and simply ignored.
Moreover, most broadband connec<ons are not symmetric and do not allow the user to upload data
with a very high speed. For instance, ADSL connec<ons provide very good download capabili<es but the
upload is much restricted (256kb/s). Again, It is not suitable because this server is intended to operate as
a proxy and to manage many probes . For this reason, a symmetric traffic may be preferred.
The second possibility is a dedicated server hosted in a data center.
One of the most benefit is the high availability this type of hos<ng supplies. Indeed, a dedicated server is
provided with electricity by a UPS and comes with a 24/7 assistance in case the server has to be
rebooted for any reason.
The network connec<on is usually a 100Mb symmetric link which is relayed through mul<ple operators.
The server has at least one public IP address assigned which is par<cularly suitable in the scope of the
current project.
Moreover, as the DNS name of the hosted server can be set by the user to be in almost any domain (i.e.
the name of the server does not have to be in the domain of the hos<ng company), it avoids the mails
sent from this computer to be classified as spam, counter to the situa<on described above.
Unfortunately,   such   a   hos<ng   solu<on   has   disadvantages   as   well.   Indeed,   physical   access   to   the
computer cannot be restricted to Law Enforcement. Moreover, as it is usually a monthly rental, there is a
recurrent cost even if it's not very high
Given the pros and the cons of both the two solu<ons, this project will be based on the second one as it
fulfills all the constraints of high availability imposed and the cost of the rental can be undertaken by a
central Law Enforcement Agency. 

2 Functionalities
As   stated   previously,   the   server   has   to   complete   several   tasks,   required   for   this   project   to   be
implemented properly.
It is hos<ng a central database managed by a home‐made Graphical User Interface programmed in PHP.
This GUI has the responsibility of sending the new rules to the probes each <me the user updates them.
This server is also opera<ng a proxy service that will be used subsequently to remove the HTTP headers
with regards to compression. This issue will be discussed in more details in a forthcoming chapter.
Furthermore,  this   computer   is   responsible   for   monitoring   the  probes   remotely,  through   the   VPN
connec<on. In fact, a probe can be unplugged from the network by a non‐coopera<ve manager for
instance. This server monitoring ensures that all the probes remain ac<ve at any <me and connected to
the internet on a permanent basis. Furthermore, it allows any breakdown on a router to be detected
remotely.
At last, the central server has the responsibility of taking care of the alerts sent by the probes. Thus it is
issuing emails and SMS to the Police forces when an occurrence is detected by a router on a remote LAN
currently under monitoring.
4.1.2  The probes   
The global architecture has to be support mul<ple inves<ga<ons at the same <me to ﬁt the need of a
central Law Enforcement Agency. If this unit has to deal with an inves<ga<on case in which criminals
connect the Internet from many various loca<ons, new probes need to be added to the infrastructure
every <me a new loca<on is being discovered.
One of the main constraint in the current situa<on is the cost of the overall solu<on. With regards to
this, the project needs to iden<fy a workable solu<on that can be made out of cheap components.
As the number of probes can rapidly increase, it is necessary to select an equipment as cheap as
possible. For this reason, the Linksys WRT54GL router is used for building the probes.

1 Hardware description
The   WRT54GL   [412‐1]   is   a   all‐in‐one   Internet‐sharing   router   from   the   manufacturer   Linksys.   This
equipment includes three built‐in modules : a network router, a 4‐port switch and a Wireless 802.11B/G
access point. 
This device is equipped with a 32‐bit MIPS architecture  Broadcom 5352EKPB processor opera<ng at
200MHz and 16 MiB of Random Access Memory. It also comes with a ﬂash memory of 4 MiB that can be
used for addi<onal applica<ons.
A wireless chip Broadcom BCM43xx 802.11b/g is also integrated but it won't be used in the scope of the
current project. As this router is expected to operate as a ﬁlter on wired networks, the wireless part will
be disabled and the antennas will be removed.
Illustration 4.3.: Front view              Illustration 4.4.: Rear view
A lot of various versions of this router exist [412‐1]. Some of them could have been used as well. For
Illustration 4.2.: WRT54G connectivity

instance, WRT54GS comes with more memory and a higher CPU speed but it is a bit more expensive. In
the scope of this project, WRT54GL provides enough memory to store the addi<onal applica<ons
needed and enough processing power to complete the required tasks.
2 Software and Functionalities
WRT54GL is a special version of the WRT54G router from Linksys. The key point of this router is the
possibility to replace the ini<al firmware with an open‐source one that turns the equipment into a
powerful device opera<ng under Linux. There are several Linux distribu<ons compa<ble with this router
(OpenWRT, DD‐WRT, Freifunk) that make it possible to customize the device.
For achieving this project, OpenWRT has been selected because it is providing all the necessary packages
that this probe needs to complete its role. 
To use this router as a filtering probe, it is necessary to iden<fy all the func<onali<es it has to implement.
It will determine what applica<ons have to be installed subsequently on the router.
By default, the router includes a DHCP server, and is defined as the default DNS server and default
gateway for the worksta<ons on the LAN. It masquerades the IP addresses of the computers connected
to the internal network and routes them via the WAN interface to the Internet.
As stated previously, the router has to remain invisible on the network. As a consequence the router
should not use Network Address Transla<on and has to transmit the packet without applying any prior
modifica<on. It should be configured as a bridge instead of a tradi<onal router. All the func<onali<es
related to network have to be disabled. For instance DHCP and DNS services have to be provided directly
from the usual gateway router of the network it is connected to. The probe just has to relay the requests
to the DHCP or DNS servers on the LAN.
Thus, the two network ports (LAN and WAN) on the router will appear as a single one named br0. No
rou<ng opera<ons will be done while transmi_ng the packets from one interface to the other.
Next, the router also has to implement a VPN client sohware to connect the server end hosted on the
central server. The VPN tunnel will be used to report occurrence detec<on and to update the probe
remotely.
It needs to be capable of filtering the network traffic transparently in order to intercept the HTTP

requests. Obviously, the end user should not no<ce this addi<onal processing of the packets. With the
help of the HTTP proxy hosted on the server, the probe should be capable of using the transparent
proxying concept to complete this task.
Finally,   the   router   should   be   able   to   sniff   the   network   stream,   analyze   the   content   and   detect
occurrences that match predefined rules. This is the most important and the main purpose of the probe.
4.2  Setting up SMS and Email accounts to receive alerts   
When an occurrence is detected in the network stream the system should be capable of sending  two
types of no<fica<on. As the server has an SMTP server installed, it will be able to send electronic mails to
the Police officers. But as they may not be connected all the <me on their computers, the system should
be capable of sending SMS on mobile phones as well. Thus, the Police officers will receive alerts in real
<me whatever their communica<on devices are : mobile phone, PDA, Blackberry ...
Since the server is not connected directly to a mobile phone for sending SMS, it has to rely on an
external provider. For this reason, prior to installing the whole infrastructure it is necessary to set up an
account on the website of this provider. This account will be used to operate as a email/sms gateway.
Every email sent to this specific email address will be forwarded as a SMS to the mobile phone of the
Police Officer in charge of the inves<ga<on case.
4.2.1  Telecommunication operator   
The first possibility is using an op<on offered by the telecommunica<on provider which the mobile
phone line pertain to. Many operators allow the customer to create an email address associated with his
phone number. Each <me an email is received by this mailbox, and SMS is issued to the mobile phone of
the user. 
For instance, Orange France provides such a service to their mobile phone subscribers.
For configuring the forwarding of emails as SMS, it is necessary to connect the webmail on Orange web
site. The SMS no<fica<ons page allows the user to customize preferences for Email forwarding. 
On this page, it is possible to configure how the electronic mails sent to the Email address of the user are
forwarded to his mobile phone. The no<fica<ons can be enabled or disabled upon specific criteria. As an

example, every mails coming from ipole_server@ipole.fr can be allowed to be forwarded to the mobile
phone number of the inves<gator whereas other emails coming from other source addresses will simply
be ignored. 
In this case, when an email is forwarded, the only informa<on which appear in the SMS are source email
address and subject. The body of the email won't be sent because a Short Message is limited to 160
characters. For those reasons the alerts sent subsequently will be formated on‐purpose to take the
constraint into considera<on.
In the scope of this project, if a Police Officer in charge of an inves<ga<on wish to be informed in real
<me   via   SMS   that   an   occurrence   has   been   detected   on   the   LAN,   an   email   account   at   his
telecommunica<on provider has to be configured on purpose. An email address need to be associated
with his phone number.
The server will use this email address to send no<fica<ons to. 
Illustration 4.5: Orange webmail

4.2.2  EmailtoSMS providers   
The second op<on which can be used to send SMS to the mobile phone of the inves<gator is a Email‐to‐
SMS provider. Some service providers on the Internet supply free or paying Email‐to‐SMS gateways that
transmit any email received by a given email address to a user‐deﬁned mobile phone number.
For instance, the site sms2email.com provides this type of service. Once an account has been created on
the site, it is possible for the user to buy a SMS credit. These SMS will be used to send no<ﬁca<ons.
Illustration 4.6: SMS notifications

4.3  Installation of the central server   
4.3.1  Technical choices   
1 Hosting
For the purpose of this project, as stated in a previous chapter, it is assumed that the central server is
hosted in a data center on a permanent and symmetric connec<on of 100Mb/s. This server has a sta<c
public IP address assigned. A second IP address will be allocated on a private range while se_ng up the
VPN connec<on.
2 Real-time mirroring
High availability is one of the key point of the infrastructure. 
Indeed, if the hard disk of the central server become defec<ve, the whole system will be unusable
immediately. If there is a mechanic or electronic failure on the disk,  even if backups have been made
properly, the server won't be available un<l complete re‐installa<on. In this case, the administrator will
have to set up a new disk, and execute the whole installa<on procedure of the central server again. 
It can take a long <me doing such substan<al work and therefore is not compa<ble with a system meant
to handle criminal inves<ga<ons. If any criminal goes to an Internet cafe during this <me and connects to
his webmail, even if the probe detects an occurrence, it won't be able to report it to the server, hence to
inform the Police oﬃcer that it has been detected.
Such a point of failure is a major problem in a centralized environment. The
system needs to be able to aﬀord the failure of a hard disk without being
stopped. It means that the hard disk needs to be mirrored in real‐<me to
ensure that a copy of any piece of informa<on exists.
RAID 1 will take care of this task and will ensure that informa<on wri.en to
a disk is mirrored to the second one simultaneously. As a ma.er of fact,
RAID 1 allows the loss of one disk. The RAID arrays con<nue to operate as
long as at least one drive is working.
Two common types of RAID exist : hardware and sohware RAID. 
Illustration 4.7.: Raid1

A hardware RAID has good benefits. It has dedicated hardware equipment that controls and manages
the RAID arrays without impac<ng the performance of the CPU. Unfortunately it requires an addi<onal
interface card usually intended to work with SCSI disks. In a general way, this card is costly and the SCSI
disks are much more expensive than ATA or SATA disks.
Moreover, the most common dedicated rented servers do not provide this hardware RAID feature. A
specific offer has to be subscribed and it can be also very expensive.
As the server is opera<ng under a Linux Opera<ng System, the second op<on is available. In this case,
the RAID func<onality is handled in a sohware way by the Linux kernel. If the central server has two hard
disks installed, it is possible to set up a sohware RAID array that will combine them in just one virtual
hard   disk.   Any   byte   wri.en   to   the   virtual   hard   disk   will   be   wri.en   to   the   two   separate   disks
simultaneously.
If a failure comes up on any of the two disks, the informa<on will remain on the second one. The
administrator will have to remove the defec<ve disk and replace it. Then he will be able to add  a blank
disk to the RAID array. Then , the informa<on will be replicated to the new disk by the sohware RAID
service.
Finally it will work like an hardware RAID, although it will not be as fast. It will have just a li.le impact on
CPU speed. It is just a small performance reduc<on and modern computers can afford it without any
problem. That is the main drawback of sohware RAID.
In the scope of this project, a sohware RAID will be used. It requires from the Unit to rent a dedicated
server with two iden<cal disks installed. It also requires to use a Linux distribu<on that supports
sohware RAID, as most do. It is the case of the distribu<on this project is using : Debian 4.0 Etch.
4.3.2  Installation of Debian Etch on the central server   
Now that the distribu<on to use has been selected, the server is going to be installed and configured to
fulfill the required func<onali<es. The default installa<on procedure can be followed and the default
op<ons can be selected most of the <me.
However, there are some custom configura<ons that need to be made. 

One of the first things to define is the name of the server. This name will be used by the server for many
purposes. If a domain name has been registered to set up
the whole infrastructure, the host name of the server can be
allocated on this domain. In the scope of this document, the
domain name ipole.fr will be used as an example.
As the installa<on procedure is going on, the user is invited
to par<<on the hard disks and to define the logical structure
of the disks. As stated in the previous chapter, RAID 1 is
used to ensure redundancy of the data. For this reason,
manual par<<oning is more appropriate than assisted one.
In order to set up the RAID arrays properly and to ensure that the system will boot up correctly even if
one of the disks is defec<ve, three par<<ons are created on each disk. The disks have both the same
par<<oning scheme.
The   type   of   each   par<<on   is   set   to   RAID.   Indeed,   the
par<<ons will be combined by pair to create RAID arrays.
Each RAID array will point simultaneously to both the two
same par<<ons on each disk.
The first RAID array combines both the two first par<<ons of
the hard disks. It is a small RAID array  used to store the files
used during the boot process, contained in /boot directory.
The second RAID array is the main and also the biggest one.
It is composed of the par<<ons /dev/hda2 and /dev/hdb2
and it  contains the root system. The size of the second RAID
array named /dev/md1 depends upon the total capacity of
the hard disk. As it is the main par<<on, it can be resized to
fill the total free space available on the hard disk.
The last RAID array  /dev/md2  is the swap area for the
system. Instead of a single par<<on, a RAID array is used as
well. Thus the system will be able to boot normally, even if
Illustration 4.9.: partitions
Illustration 4.8.: Name of the server
Illustration 4.10.: Partition allocation

one of the disks has a failure. This kind of configura<on makes the system a li.le bit slower but it
improves reliability and availability.
There is no spare disks in this RAID array. This is the situa<on in most dedicated server rental offers. As a
ma.er of fact, if one of the disks has a serious failure, it will have to be replaced because no new disk
will be added automa<cally to the array.
Once the raid arrays have been defined and the crea<on has been confirmed, the par<<ons are
formated and the base Opera<ng System is installed.
It is necessary to choose a password for the administrator  account which is called root. It is also required
to add a user account to the system. This user has limited permissions and is used to complete tasks that
do not require extended rights.
Even   if   pre‐configured   installa<ons   of   the   system   are   available   during   installa<on   process,   it   is
recommended to install a “standard system” instead. Indeed, it only installs the base packages. Thus it is
smaller. Moreover, it is also more secure as it does not run a set of useless services and open unused
ports.
It is also recommended to set up an online repository (e.g. : Ireland/hp.ie.debian.org) to install the
packages and the updates from. This ensures that all the packages on the system will remain up‐to‐date.
It is very important if security flows and vulnerabili<es are
discovered and disclosed.
At   the   moment,   the   RAID   arrays   are   currently   under
construc<on.   The Opera<ng System seems to be slow as
resources are being used to build the RAID system.
At   the   end   of   the   installa<on   procedure,   the   user   is
prompted to choose the disk or the par<<on on which the
Linux boot loader named GRUB is installed. Obviously, as
there is only one Opera<ng System installed, no other previous boot loader exists. For this reason, GRUB
has to be install on the Master Boot Record of the first hard disk. A second boot loader will be installed
to the other disk aherwards to make it capable of boo<ng even if the master disk is absent.
Now that the boot loader has been installed, the system is going to reboot. It is recommended to wait
Illustration 4.11.: Grub installation

for the hard disk LED to stop blinking before going further. As said above, the RAID arrays are currently
being constructed as it is safer to wait for the process to be achieved before reboo<ng the computer.
4.3.3  Completion of the RAID conOiguration   
The Opera<ng System is now fully func<onal. At this step, only the base packages have been installed
and just a few services are being launched on startup.
The system now needs to be configured properly to perform its task.
The RAID arrays was configured during the installa<on process. However, there is a step that needs to be
completed to make the RAID system fully opera<onal.
When a computer starts, the first data accessed on a hard disk is the Master Boot Record, located on
sector 0. This MBR contains the descrip<on of the disk itself and also the table of par<<ons. To get a disk
bootable, this MBR has to be ini<alized in a suitable manner.
Although this step has been achieved for the first hard drive during the installa<on procedure, the
second drive needs to be set up too. Indeed, the system has to boot even if the master hard drive has
been removed. Likewise, if the first hard drive of the computer becomes defec<ve, it will have to be
replaced. If the boot loader can only be launched from the MBR of this defec<ve disk it will be a big issue
for the system to remain opera<onal.
Therefore, the MBR is going to be ini<alized on the second disk of the RAID system. The boot loader
Grub is modified also to include a fallback op<on, in case the first drive would not be available any more.
In addi<on, if one of the hard drives has to be replaced by a new one, the MBR on the new disk will have
to be set up too.
Therefore, these are the modifica<on applied manually to the file /boot/grub/menu.lst
A sec<on is present in this file already to describe the boot op<ons available.
title Debian GNU/Linux, kernel 2.6.8-2-386
root (hd0,1)
kernel /boot/vmlinuz-2.6.8-2-386 root=/dev/md0 ro
initrd /boot/initrd.img-2.6.8-2-386
savedefault
boot
It needs to be replaced by the following one. This opera<on will add another op<on to boot from the

second hard drive
fallback 1
title Debian GNU/Linux, kernel 2.6.8-2-386 - HDA
root (hd0,1)
savedefault
boot
title Debian GNU/Linux, kernel 2.6.8-2-386 - HDC
root (hd1,1)
savedefault
boot
This modifica<on adds the possibility of boo<ng from the drive (hd1,1) instead of (hd0,1). These
numbers have to be incremented by one to determine the number of the drive and the number of the
par<<on used. As an illustra<on, (hd1,1) refers to the second par<<on of the second disk.
This modifica<on concerns IDE/ATA disks only. It is useless if the computer is equipped with SCSI or SATA
disks. Indeed, SCSI and SATA disks are referred to as sdX by Linux opera<ng system. If the first disk is
missing for instance, sdb automa<cally becomes sda and no modifica<on to the boot loader is needed.
The fallback op<on is also added to ask the computer to automa<cally use the second op<on in case the
first one is not available.
Then, the MBR has to be wri.en to the sector 0 of the second hard drive so that it will be able to boot
also. A tool exist to configure the boot loader : grub. The following commands have to be executed using
this tool.
root (hd0,0)
setup (hd0)
root (hd1,0)
setup (hd1)
quit
Finally, it is much recommended to monitor the RAID arrays to be informed in real‐<me of the failures
that can poten<ally occur. Therefore, it is necessary to tell the RAID service to send an email to the
administrator each <me one of the RAID arrays is defec<ve. Mdadm has to be reconfigured to add the
email address of the system administrator, using this command :
dpkg-reconfigure mdadm
Some ques<ons need to be answered. The email address is chosen as an example.
MD arrays needed for the root filesystem: All
Should mdadm run monthly redundancy checks of the MD arrays? Yes
Do you want to start the MD monitoring daemon? Yes

Recipient for email notifications: admin@ipole.fr
4.3.4  Basic system conOiguration   
1 Updating the operating system
The Linux distribu<on has been installed from the repositories available on the Internet. However, some
of them may not provide the most up‐to‐date packages. So the opera<ng system needs to be updated
prior to installing addi<onal packages. At the same <me, some packages are installed as they will be
useful for configuring the server
apt-get update
echo "o" | apt-get upgrade
echo "o" | apt-get install vim mc lynx ntpdate
2 Configuring and Securing SSH
SSH is used as a remote administra<on tool. SSH daemon usually uses a well‐known port (22) to operate.
This port has to be changed as it can easily be scanned with a tool and even exploited if it is vulnerable.
Likewise, a banner can be created to inform the client connec<ng accidentally to this port that he is not
supposed to stay connected as it is a port used for private use only.
cat /etc/ssh/sshd_config | sed 's/Port 22/Port 60022/g' | sed 's/^#Banner/Banner/g' >
/tmp/sshd_config
mv /tmp/sshd_config /etc/ssh/sshd_config
cat << FIN > /etc/issue.net
**********************************************************
*** P R I V A T E S E R V E R ***
**********************************************************
FIN
/etc/init.d/ssh restart
The SSH server now operates on port 60022, which is not so easy to guess from the a.acker prospec<ve.
If the administrator is willing to use an authen<ca<on process based on a public/private key exchange
instead of a password, it is possible to add the public key in the file /root/.ssh/authorized_keys aher the
file has been created as follow : 
mkdir /root/.ssh; touch /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
cat << FIN > /root/.ssh/authorized_keys
#Clé bruno
ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIEAqb2JXka/LAITnHZg0jMCfSykiLkjAlMrM2qf9qnl/fpODRMPeHOWYUUSQVVvcir/Q/
EMM6Dhr5oQ4zJ72dNBZPzYqfIZMit3T8R3oE1r/tbDkKQID9oRa9qnmThywpfjvr82/ap5uWqPx2LVtNVSPxpwHayCb9Ac
T+3RMRPc= boolaz-putty
FIN

Now, SSH private and public keys for the servers are generated to be uploaded to the probes later on. It
will allow the central server to connect the probe with an authen<ca<on based on a key exchange
instead of a password.
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
7c:d9:00:8e:c0:b9:d4:c1:5c:51:c7:38:0b:16:c7:41 root@ipole
The SSH public key to be uploaded into the probes is named /root/.ssh/id_rsa.pub
3 Host Name
Then, a name is defined for this computer since it will be used by many services to iden<fy the server.
echo -e "Name of this server: c" && read nom_machine && echo $nom_machine > /etc/hostname
4 Prompt
The prompt is configured too in order for the administrator to know specifically which server he is
connected to. At the same <me, some useful aliases are defined too.
cat /root/.bashrc | sed 's/êxport PS1/#export PS1/g' > /tmp/.bashrc
mv /tmp/.bashrc /root/.bashrc
cat << FIN >> /etc/profile
HOST=`hostname`
PS1='033[1;35m$HOST033[0m - 033[1;32mu033[0m - w# '
export PS1
alias rgrep="find . -type f | xargs grep -ni"
alias ll="ls -al –color"
alias sshp="ssh -p 60022"
alias scpp="scp -P 60022"
FIN
5 Date and Time settings
Then the <me of the server is configured to automa<cally synchronized itself on <me servers available
on the Internet. This step is completed by the use of the crontab which is execu<ng programmed ac<ons
at specific <mes.
cat << FIN >> /tmp/crontime.tmp
`crontab -l`
# Time Update**
0 */4 * * * /etc/init.d/ntpdate restart >/dev/null 2>&1
FIN
crontab /tmp/crontime.tmp
rm /tmp/crontime.tmp
In this case, the <me and date of the server will be synchronized every 4 hours. The same procedure will

be carried out for each probe. Thus, it will ensure that the dates and <mes of the log lines recorded by
the probes will correspond to those wri.en by the server.
6 Configuration of the BASH and VIM profile
Specific variables of the bash are configured in the profile of the root user. In this example, some
variables are modified with regards to security. For instance, HISTFILE is unset to make sure that no bash
history will be recorded to the hard drive. It will improve security in a sense that no employee of the
hos<ng company will be able to know what this server is being used for.
cat << FIN >> /root/.bash_profile
export HISTFILESIZE=0
unset HISTFILE
export HISTSIZE=70
export HISTCONTROL=ignoredups
FIN
At last, a configura<on file for vim is created in order to ease the use of this tool while edi<ng
configura<on files
cat << FIN > /root/.vimrc
set ignorecase
set showmode
set noautoindent
set tabstop=4
syntax on
FIN
7 Logs export
For increased security, the logs of this server can be exported to a remote one. Thus, in case this server is
being compromised and a rootkit is installed by the miscreant, it will s<ll be possible to inves<gate the
log files by having a look to those recorded in the second server. In this example, syslog.ipole.fr is the
name of the remote server to be used.
echo "*.* @syslog.ipole.fr" >> /etc/syslog.conf
4.3.5  Virtual Private Network Server and CertiOication authority   
In order for this server to become an OpenVPN server, three packages need to be added to the system
running a Debian Etch distribu<on. It is done using the following command :
apt-get install openvpn liblzo1 openssl
1 Generation of the Certification Authority
To cer<fy its iden<ty, a cer<ficate needs to be signed by an authority that can be trusted by everyone:
the Cer<fica<on Authority (CA). Some companies like VeriSign sell cer<ficates that are trusted by every

computer.
It is also possible to create a private CA for internal use on a private network. As a ma.er of fact, this
approach has been adopted in the scope of this project. For this reason, a Cer<fica<on Authority is
created on the server, which will sign all the cer<ficates issued either for the OpenVPN servers or clients.
All the files required are stored in the directory /usr/share/doc/openvpn/examples/easy‐rsa/. In this
directory, the following variables need to be personalized in the file vars to fit the parameters of the
project.
export KEY_COUNTRY=FR
export KEY_PROVINCE=IDF
export KEY_CITY=PARIS
export KEY_ORG="IPOLE.FR"
export KEY_EMAIL="admin@ipole.fr"
Now the CerAficaAon Authority can be generated.
. ./vars
./clean-all # ALL THE KEYS WILL BE REMOVED
gunzip openssl.cnf.gz
./build-ca
2 Diffie-Hellman key
The Diffie‐Hellman key agreement protocol enables two communica<on partners to exchange a secret
key safely. No prior secrets or safe lines are needed; a special mathema<cal algorithm guarantees that
only the two partners know the shared key used.
The following command takes care of the crea<on of Diffie‐Hellman key
./build-dh
3 OpenVPN server creation
Now that the Cer<fica<on Authority has been generated, it can be used to create and sign a private and
public key for the VPN server, called IpoleServer.
./build-key-server IpoleServer
For the server to operate properly, the cer<ficate should not be protected by a password.
Then a secret key is going to be generated as well in order to protect this private link from a man‐in‐the‐
middle a.ack. This secret key, named ta.key, will be installed on both the server and the client side (on
each probe liable to connect the VPN network).
openvpn --genkey --secret ta.key

Now the files just created are copied to the configura<on directory of OpenVPN.
cp ./keys/ca.crt /etc/openvpn/ ;
cp ./keys/ca.key /etc/openvpn/ ;
cp ./keys/IpoleServer.crt /etc/openvpn/ ;
cp ./keys/IpoleServer.key /etc/openvpn/ ;
cp ./keys/dh1024.pem /etc/openvpn/ ;
cp ./ta.key /etc/openvpn/
A configura<on file is created for the OpenVPN server and saved as /etc/openvpn.conf.
port 61194
proto udp
dev tun
ca ca.crt
cert IpoleServer.crt
key IpoleServer.key # This file should be kept secret
dh dh1024.pem
server 192.168.93.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 60
tls-auth ta.key 0 # This file needs to be kept secret
comp-lzo
max-clients 25
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 4
#crl-verify crl.pem # if using a revocation list
This configura<on file defines how the server is going to operate. In the current situa<on, the server is
running on a specific port in UDP with a high number (61194). This choice has been made to avoid that
the service is detected too easily with a port scanning tool. All the OpenVPN clients will be provided with
an IP address pertaining to the defined IP range : 192.168.93.0/24. The client‐to‐client direc<ve is added
to allow communica<on between clients. It ensures that the Law Enforcement unit will be able to log to
a probe directly through the OpenVPN tunnel. 
As defined in the configura<on file provided above, the VPN server will accept a maximum of 25 clients.
This number can easily be increased to create a wider infrastructure. In this case, the IP range and
network mask adopted will have to be chosen in compliance with the maximum number of possible
clients. Although it has been commented out, the crl‐verify direc<ve is also present in this file, in case
the administrator has to revoke a cer<ficate.
Finally, a group and a user are added to the system as they will be used by the OpenVPN service. Indeed,
it is always be.er not to execute this type of service as the root user.
groupadd openvpn
useradd -d /dev/null -g openvpn -s /bin/false openvpn

4 Testing OpenVPN
A quick procedure allows the administrator to ensure that OpenVPN is fully func<onal. First of all,
OpenVPN needs to be restarted to take the new configura<on in considera<on.
/etc/init.d/openvpn restart
Then, a set of lines should appear in the log files to indicate that OpenVPN has started properly
tail -n 100 /var/log/syslog
And OpenVPN instance should be listed in the running processes
# ps aux | grep openvpn
openvpn 2149 0.1 0.4 6200 4080 ? Ss Mar27 19:47 /usr/sbin/openvpn --writepid
/var/run/openvpn.server.pid --daemon ovpn-server --cd /etc/openvpn --config
/etc/openvpn/server.conf
Finally, a new network interface should be created with an IP address belonging to the VPN range. The
last digit of the IP address is 1, since it is the first IP address to be allocated and no client has been
connected yet. In the following example, the IP address is 192.168.93.1
tun0 Lien encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet adr:192.168.93.1 P-t-P:192.168.93.2 Masque:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:592335 errors:0 dropped:0 overruns:0 frame:0
TX packets:995389 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 lg file transmission:100
RX bytes:30271485 (28.8 MiB) TX bytes:1052657839 (1003.8 MiB)
It is possible to do a ping on this IP address to ensure that it is responding correctly
ping 192.168.93.1
5 Creation of client certificates
Now that the server is up and running, cer<ficates can be created for the probes. The cer<ficates will
have to be uploaded to each probe. Likewise, the ca.crt, ta.key and openvpn.conf (client part) will have
to be stored in the OpenVPN directory of each probe.
In order to ease and quicken the crea<on of the cer<ficates, a script has been programmed that can do
that almost automa<cally. For each probe to set up, the following procedure has been used. 
At first, the genera<on script is executed. It creates the private and the public keys to be used by the
client. Then, a generic OpenVPN client configura<on file, the private and public keys and the files ca.crt
and ta.key are packed in an archive file containing all the required files for the client to be connected
properly. This file will be decompressed subsequently in the OpenVPN configura<on directory of the

probe during its installa<on.
Here is an example of how to use the script to generate a cer<ficate for a new probe :
# ./mk_vpn_client Ipole05
NOTE: when you run ./clean-all, I will be doing a rm -rf on
/usr/share/doc/openvpn/examples/easy-rsa/keys
Generating a 1024 bit RSA private key
.............++++++
.++++++
writing new private key to 'Ipole05.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [FR]:
State or Province Name (full name) [IDF]:
Locality Name (eg, city) [PARIS]:
Organization Name (eg, company) [IPOLE.FR]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Ipole05
Email Address [admin@ipole.fr]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/share/doc/openvpn/examples/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'FR'
stateOrProvinceName :PRINTABLE:'IDF'
localityName :PRINTABLE:'PARIS'
organizationName :PRINTABLE:'IPOLE.FR'
commonName :PRINTABLE:'Ipole05'
emailAddress :IA5STRING:'admin@ipole.fr'
Certificate is to be certified until Apr 4 07:55:26 2018 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Ipole05/
Ipole05/client.crt
Ipole05/client.key
Ipole05/ca.crt
Ipole05/ta.key
Ipole05/openvpn.conf
An archive file is made available in the /tmp directory, called Ipole05.tgz. This file contains all the files
needed for the probe 05 to be connected to this VPN server.
4.3.6  Web pages compression and installation of a Web Proxy   
This step is an approach to solve a major problem that may come up while filtering web content in a
network stream : compression.

The   opportunity   to   implement   this   method   clearly   depends   on   the   inves<ga<on   case   the   Law
Enforcement Agency is currently working on. For instance, a case could require to get an alert each <me
a user connects to a specific webmail using his email address. If the server hos<ng the webmail does not
support compression of h.p pages, it would be useless to put in place this solu<on. Nonetheless, the
use of this method can represent a more general approach and work for the majority of the cases.
1 Description of the problem
With the aim of accelera<ng the download of web pages, the most common current browsers (Microsoh
Internet Explorer, Firefox) indicate to the remote websites that they are capable of handling compressed
web pages. This func<onality saves bandwidth and allows the web user to receive the required content
more rapidly. 
From a Law Enforcement prospec<ve, in the scope of this project dealing with network filtering, this
represents a major issue. Actually, some websites reply to the request from the client by sending a
compressed   content   that   is   impossible   to   analyze   and   search   for   keywords   without   a   prior
decompression.
2 Approach to solving this issue
In   this   case,   the   probes   are   composed   of   standard   routers.   Those   equipments   don't   have   the
computa<on power to decompress the web pages in real <me before examining them. The  processor
does not provide these capabili<es and is rapidly overloaded by the web traffic on a busy network.
To avoid the necessity of prior decompression and to save resources on the router, a different approach
has been adopted to solve this problem. 
It consists in intercep<ng the h.p request sent from the web browser to the remote h.p server in a
transparent manner and removing the h.p header which indicates that the browser can deal with gzip
compression. Therefore, when the server receives the request, it simply ignores compression and sends
the web page in clear text instead of using prior compression.
The idea is using a web proxy, located on the central server to relay the HTTP requests aher removing
the header that asks the remote server for compression.
Actually, the router itself could have been used to complete this task. Indeed, <nyproxy exists as a pre‐

compiled binary package for OpenWRT. Some tests have been performed but the memory on the router
is not sufficient to achieve the job properly on a busy network.
Although it is working fine for a small network, as soon as the HTTP traffic increases, the load on the
probe is increased to a level that causes the system to freeze.
3 Web proxy installation and configuration
A lightweight proxy, called Tinyproxy is available for Linux Debian Etch. It provides all the func<onali<es
required by the current project. Thus it is capable of hiding some of the headers included in the HTTP
request. 
First of all, Tinyproxy needs to be installed on the server. Unfortunately, the default version of <nyproxy,
provided as a binary package for Debian 4.0, doesn't support transparent proxying, a condi<on required
for the adopted solu<on to work. To achieve this func<onality, Tinyproxy has to be compiled with the
enable‐transparent‐proxy op<on enabled. Hence, it is not possible to simply install <nyproxy via apt‐get
command. Instead, it has to be built from source manually.
Illustration 4.12.: HTTP stream is redirected to the proxy

The source code of Tinyproxy is available from its repository on Sourceforge website [425‐1]. It is
downloaded to the /tmp directory. Then, the archive file is decompressed and the directory changed to
enter the folder containing the source code.
cd /tmp
wget http://kent.dl.sourceforge.net/sourceforge/tinyproxy/tinyproxy-1.6.3.tar.gz
tar xvzf tinyproxy-1.6.3.tar.gz
cd tinyproxy-1.6.3
In order to avoid that <nyproxy appears to the target by adding its name in the “via” field of HTTP
packets, the source code needs to be modified in the file  /tmp/<nyproxy‐1.6.3/reqs.c :
Line 1022 : ''Via: %s, %hu.%hu %srn'',
Line 1030 : ''Via: %hu.%hu %srn'',
Aher   installing   the   generic   package   required   for   compila<on   (build‐essenAal),   Tinyproxy   is   being
compiled with the relevant op<ons enabled and installed as root.
• enable‐xOnyproxy  : Compile in support for the X<nyproxy header, which is sent to any  
  web server in the domain
• enable‐filter  : Allows <nyproxy to filter out certain domains and URLs
• enable‐transparent‐proxy : Allow <nyproxy to be used as a transparent proxy daemon
apt-get install build-essential
./configure --enable-xtinyproxy --enable-filter --enable-transparent-proxy
make
make install
The proxy operates on port 8888. For security reasons, it is bound to the VPN interface and  it is listening
on the VPN IP address only (192.168.93.1). Therefore, it will allow the probes connected through the
VPN to connect (192.168.93.0/24) and it won't be available from the public Internet. Hence it would
become an open proxy.
All the possible HTTP headers [4310‐1] have to be listed in this file in order to be relayed to the remote
server. The proxy is filtering all the headers that are commented out or not listed . Also, It is mandatory
that the headers associated to compression are inhibited.
Then, as the proxy should not be iden<fied in case a web page is not found (error 404) for instance, a
blank error web page has to be created. Otherwise, the proxy server would display an error page
showing its name. The miscreant would have serious clues that his data are relayed through a proxy,
whatever the reason is.
cat << FIN > /usr/local/etc/tinyproxy/default.html

<html>
</html>
FIN
At last, a startup script needs to be put in place for the proxy to be started up on each reboot.
cat << FIN > /etc/init.d/tinyproxy
#!/bin/sh
case "$1" in
'start')
/usr/local/sbin/tinyproxy
;;
'stop')
killall tinyproxy
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0
FIN
chmod +x /etc/init.d/tinyproxy
update-rc.d tinyproxy defaults
The proxy which has just been installed on the server will be used later on by the probes to relay the
HTTP requests from the remote clients on the monitored LAN.
4.3.7  Logging of alerts   
The current infrastructure is composed of a central server and a set of modified Linksys routers used as
probes. 
Since those routers have limited resources and to save the maximum amount of memory, the technical
choice has been made to store the logs of each probe on the central server instead of recording them on
the probe itself.
Thus, the storage capacity of the memory is being preserved whatever the quan<ty of logs the router
generates. Furthermore, having the logs stored in a central loca<on allows the administrator to find and
filter out sensi<ve informa<on very rapidly.  At last, one of the benefit of expor<ng the log files in such a
way is the ability to keep a track of the data even if a router is being rebooted. Otherwise, the logs would
be cleared on each reboot of the router.
Since a further sec<on describes how to implement the exporta<on of the logs on the routers, the
central server needs to be configured to receive and store the logging informa<on sent by the probes.
Instead of doing this using the tradi<onal syslog daemon of Linux, a "new genera<on" of syslog called
syslog‐ng is being used.

This improved version of syslog provides new func<onali<es such as storing syslog informa<on in a
database which is par<cularly useful in the scope of the current project. 
Therefore, as syslog‐ng is used in conjunc<on with a mysql database, the system will be able to extract
informa<on in a simple manner with SQL language instead of using a set of grep / awk/ sed commands.
For doing this, the new database has to be created with the following commands :
cat << FIN > dbsetup.sql
CREATE DATABASE ipole;
USE ipole;
# create table logs under database syslog
CREATE TABLE logs (
host varchar(32) default NULL,
facility varchar(10) default NULL,
priority varchar(10) default NULL,
level varchar(10) default NULL,
tag varchar(10) default NULL,
datetime datetime default NULL,
program varchar(15) default NULL,
msg text,
seq bigint(20) unsigned NOT NULL auto_increment,
processed tinyint(1) default NULL,
PRIMARY KEY (seq), KEY host (host),
KEY program (program), KEY datetime (datetime),
KEY priority (priority), KEY facility (facility)
) TYPE=MyISAM;
USE mysql;
# create user
INSERT INTO user (Host, User, Password)
VALUES ('localhost','ipoleadmin',password('ipole'));
INSERT INTO db (Host, Db, User)
VALUES ('localhost','ipole','ipoleadmin');
COMMIT;
FLUSH PRIVILEGES;
# grant rights to user ipoleadmin
GRANT ALL ON ipole.* TO ipoleadmin@localhost;
COMMIT;
FLUSH PRIVILEGES;
FIN
mysql -u root -p < dbsetup.sql
Then syslog‐ng can be installed from debian repositories.
apt-get install syslog-ng
The configura<on file for syslog‐ng has to be saved as /etc/syslog‐ng/syslog‐ng.conf.
Aher checking it doesn't exist already, the FIFO to mysql has to be created with the mkfifo command.
ls -lah /etc/syslog-ng/mysql.syslog-ng.pipe
mkfifo –-mode=666 /etc/syslog-ng/mysql.syslog-ng.pipe
Now, a new script to use the fifo has to be built and set executable before be launched as a background
task.

cat << FIN > /etc/syslog-ng/syslog-ng-mysql-pipe.sh
#!/bin/sh
# Take input from a FIFO and run execute it as a query for
# a mysql database.
if [ ! -e /etc/syslog-ng/mysql.syslog-ng.pipe ]; then
mkfifo --mode=666 /etc/syslog-ng/mysql.syslog-ng.pipe
chmod 666 /etc/syslog-ng/mysql.syslog-ng.pipe
else
while [ -e /etc/syslog-ng/mysql.syslog-ng.pipe ]
do
mysql -uipoleadmin --password=ipole ipole < /etc/syslog-ng/mysql.syslog-ng.pipe
done
fi
FIN
chmod +x /etc/syslog-ng/syslog-ng-mysql-pipe.sh
/etc/syslog-ng/syslog-ng-mysql-pipe.sh &
From now on, the logs of the system are not being stored in text ﬁles any more. Instead, all the logs are
uploaded in a MySQL database. That will make a future selec<on much faster and easier using SQL
language.
4.3.8  Monitoring the probes   
To make sure not to miss any relevant piece of informa<on, It is really important that the probes remain
online on a permanent basis. Hence the central Law Enforcement Agency needs to be informed of the
connec<on status of each probe in real <me. 
If a probe comes to be disconnected in an Internet cafe under monitoring, due to an incident or on
purpose caused by the manager of this internet cafe, then the Police Oﬃcers will need to know it and
react immediately. 
Illustration 4.13: Probe 2 is down on Nagios dashboard

Since the probes are connected permanently to the VPN server, they can be monitored efficiently
through this channel. The server can iden<fy each single probe using the private IP address from the
VPN range it has allocated to this specific probe.
For the purpose of monitoring the probes, an open‐source sohware called Nagios has been adopted. It is
a mul<‐plaporm sohware that comes with lots of plugins available for each opera<ng system.
Nagios needs to be configured to monitor the Linksys routers and send an email to the administrator
each <me a probe is being disconnected for a reasonable period of <me.
This ini<al setup defines a standard configura<on that will be
updated later automa<cally when a new probe is added to the
infrastructure with the graphical user interface.
First, Nagios has to be installed using apt‐get command. Several
versions   are   available   for   Debian   etch.   Although   there   is   a
specific version designed to interact with MySQL, the choice has
been made to install the version relying on text files.
The reason for this decision is that, the text files will be generated from the custom database used with
the graphical user interface to allow more flexibility. Therefore, the configura<on will match perfectly the
requirements of this project.
apt-get install nagios-text
Then   the   auto‐configura<on   file   named  nagios‐autoconf.sh  provided   as   appendix   8.8   has   to   be
launched. It aims at genera<ng automa<cally all the files needed by nagios for the purpose of this
project.
Illustration 4.15: Nagios alert
Illustration 4.14: Probe 2 is down

The skeletons of generic hosts and services now need to be generated respec<vely in the files hosts.cfg
and services.cfg.
Those files will be used later on by the server, each <me a new probe is added or modified by the
administrator.
Then, for the web based interface of nagios to be enabled, a configura<on file has to be added to
apache2. This file is named /etc/apache2/conf.d/nagios.
ScriptAlias /cgi-bin/nagios /usr/lib/cgi-bin/nagios
ScriptAlias /nagios/cgi-bin /usr/lib/cgi-bin/nagios
<DirectoryMatch /usr/lib/cgi-bin/nagios>
Options ExecCGI
AllowOverride AuthConfig
Order Allow,Deny
Allow From All
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
require valid-user
</DirectoryMatch>
Alias /nagios/stylesheets /etc/nagios/stylesheets
# Where the HTML pages live(d)
Alias /netsaint /usr/share/nagios/htdocs
Alias /nagios /usr/share/nagios/htdocs
<DirectoryMatch /usr/share/nagios/htdocs>
Options FollowSymLinks
AllowOverride AuthConfig
Order Allow,Deny
Allow From All
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/htpasswd.users
require valid-user
</DirectoryMatch>
Finally, as the access to the web interface is password restricted, it is mandatory to add a user permi.ed
to do connect nagios. For instance, the user "nagiosadmin" is used, with the password "ipole"
htpasswd -b /etc/nagios/htpasswd.users nagiosadmin ipole
The   graphical   interface   of   nagios   can   now   be   reached   through   the   VPN   connec<on   on   :
hCp://192.168.93.1/nagios
For a quick look to the status of each probe, this URL can be used : hCp://192.168.93.1/nagios/cgi‐
bin/status.cgi?hostgroup=all&style=hostdetail

4.3.9  Backups   
Amongst the important things to take into considera<on when building such an infrastructure is a
backup procedure.
If the hard disk of the server becomes defec<ve or if the opera<ng system is compromised by a hacker, it
will s<ll be possible to restore the system and make it available again rapidly.
One of the decisions to take is where to store the backup files. Is a second hard disk available on the
server or is it necessary to backup to an external server ?
In the scope of this project, as most of the servers are provided with a single disk, the backup files are
exported to a public FTP site. Lots of free hos<ng offers allow the users to send files via FTP to their
accounts. For instance, free.fr provides a 10GB account for storing personal web pages. Such an account
can be used instead to store the backups.
Nevertheless, as this FTP site is a public one, it as to be considered as insecure since an external user
may access the files. Therefore, a decision has been taken to encrypt the backups with the public key of
the administrator. Thus, even if the backup files were downloaded by a non‐legi<mate user, this person
would not be able to decrypt them anyway.
An open‐source implementa<on of PGP named GnuPG is used to take care of this encryp<on. It is
installed by default with the current Linux distribu<on and does not need any specific configura<on.
For slightly improving the security, the keys are not being generated on the server. Only the public key of
the administrator is uploaded to the server and imported in the GPG database. Thus, if anyone gets
access to the server and retrieves the backup files and the GPG key, he won't be able to decrypt the files
again.
Aher impor<ng the key, the database is updated to trust the key ul<mately.
# gpg --import ipole.asc
gpg: key B66E932A: public key "Bruno VALENTIN <admin@ipole.fr>" imported
gpg: Total number processed: 1
gpg: imported: 1
# gpg --edit-key B66E932A
Command> trust
pub 1024D/B66E932A created: 2002-04-20 expires: never usage: SC
trust: unknown validity: unknown
sub 2048g/D038D198 created: 2002-04-20 expires: never usage: E

[ unknown] (1). Bruno VALENTIN <admin@ipole.fr>
[ unknown] (2) [jpeg image of size 2354]
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub 1024D/B66E932A created: 2002-04-20 expires: never usage: SC
trust: ultimate validity: unknown
sub 2048g/D038D198 created: 2002-04-20 expires: never usage: E
[ unknown] (1). Bruno VALENTIN <admin@ipole.fr>
[ unknown] (2) [jpeg image of size 2354]
Please note that the shown key validity is not necessarily correct
unless you restart the program.
Then the backup procedure can be set up. For sending the files to the server, lhp is used and needs to be
installed.
apt-get install lftp
A directory is created to store the backup files locally.
mkdir /backup
chmod 777 /backup
The files required for the backup procedure to work properly are provided as appendix 8.3. Those files
are saved in a directory called /root/backup.
Although the file  backup.incl  and  backup.excl  have been configured already, they can be refined to
match the list of the directories to backup. The backup.sh file contains the current configura<on for the
backup procedure (gpg key, daemons to stop and to restart) and the backup script itself.
Finally, a cron entry is added to execute this backup task on a daily basis. In this example, the content of
the server will be saved every night at 2 o'clock.
0 2 * * * /root/backup/backup.sh >/dev/null 2>&1
4.3.10  Securing the server   
1 Firewall
Internet is a pre.y insecure place. It is impossible to trust the behavior of each single user everywhere in
the world. For this reason it is recommended to define a real security policy with regards to who is
permi.ed to access the server and from which loca<ons.

For instance, there is no need to keep all the open ports listening on the wan interface. Instead, the
ports used for the administra<on should be listening for connec<ons on the VPN address only. Thus, the
server will be unreachable from outside the VPN network. This will slightly improve the security.
The current server is sensi<ve in terms of content and availability. More than any other server connected
directly to the world wide network, the central server used for this project has to be protected by a
firewall. Hence the non‐legi<mate requests will be filtered to prevent the server as much as can be from
being hacked and compromised.
The network flows and the current configura<on for the server are defined as follow :
Default Policy INPUT, OUPUT, FORWARD  DROP
LO Interface  INCOMING Everything accepted 
OUTGOING Everything accepted 
Tun0 interface (VPN) INCOMING Everything accepted 
OUTGOING Everything accepted 
WAN
ICMP
INCOMING 61194 UDP : Openvpn
113 TCP : Auth 
OUTGOING 53 UDP : DNS (dns queries)
25 TCP : SMTP (for sending alerts)
20 & 21 TCP : FTP (debian updates)
80 TCP : HTTP (debian updates)
123 UDP : NTP (<me sync)
80   &   443   TCP   :   HTTP   and   HTTPS
(<nyproxy)
INCOMING
OUTGOING
accepted
accepted
NAT  OUTGOING Masquerade VPN CLIENTS
Two suitable firewall scripts named on.sh and off.sh are provided as appendix 8.4. These scripts have to
be stored in /etc/firewall directory of the server.
Then, in order for the script on.sh to be executed upon each reboot it has to be added to a custom
startup script created specifically and named /etc/init.d/local
cat << FIN > /etc/init.d/local
#!/bin/sh
/etc/firewall/on.sh
FIN

chmod +x /etc/init.d/local
update-rc.d local defaults
From now on, the incoming connec<ons will be accepted only if they match the current filtering policy. 
For instance all the data received on the WAN interface will be dropped except the ones on the port
61193 (VPN), 114 (AUTH) and the replies to the connec<ons ini<ated by the current server.
2 Encrypting the storage partition
Since the server is going to be installed in the premises of a third party (data center), it is very important
that the sensi<ve data remain unreachable from the technicians of this private company or any other
non‐authorized person. 
Even if the access to this server has been secured by a password or a public/private key exchange and a
well‐configured firewall has been set up to prevent non legi<mate users to access the data, it is always
possible to switch off the server and disassemble the central unit to extract the hard drive from its
hardware environment.
If this hard drive, containing sensi<ve data is configured as a slave for another computer or if it is being
analyzed with a forensic sohware like Encase, or X‐ways forensics, it will s<ll be possible to access the
data even without keying in a password.
To avoid this, one of the things that can be done is using encryp<on to protect the data from offline
analysis. 
Recent Linux kernels as the one installed by default with the distribu<on used for opera<ng the server
come with na<ve encryp<on func<onali<es. Without the need of any addi<onal driver or piece of
sohware, the administrator can use the built‐in capabili<es of the Linux kernel to encrypt a par<<on or a
file on the fly.
With the use of  cryptsetup  and  dmcrypt, the administrator can create encrypted containers and
par<<ons. A storage par<<on can be defined and encrypted to store the data to keep confiden<al as
snort configura<on, database files or web pages. Then the files in ques<on can be moved to this
par<<on and symbolic links can be created to dupe the system.
This par<<on needs a password in order to be decrypted and mounted on the file system. Obviously, it

will never be mounted by default and a prior ac<on from the administrator will be required to mount the
par<<on before being able to access the files.
Thereby, if someone switches off the computer and tries to access the data by other means, he won't be
able to mount the encrypted par<<on and reach the confiden<al informa<on that resides on it.
4.3.11  The Graphical User Interface   
As indicated in the requirements of the current project, the
adopted solu<on has to be manageable by any Police officer
in charge of an inves<ga<on case. Even if this Police Officer is
not very familiar with computers and networks, he should be
capable of using and administra<ng the system.
Therefore, a Graphical User Interface had to be developed to
ease and quicken the task of the administrator, avoiding the
need to manipulate text files and shell scripts which may lead to human mistakes. In fact syntax typos in
the configura<on files could rapidly have a nega<ve impact on the func<oning of the system itself. 
To prevent the administrator from making errors when he has to add or modify a case, the GUI comes
with a setup page for each single configurable component.
Illustration 4.16: case configuration
Illustration 4.17: Configuration of Police officers

First of all, a case has to be created and a name has to be assigned. A simple checkbox allows the case to
be enabled or disabled. It allows the deac<va<on of all the probes rela<ng to this case with a single click
(4.16)
On another page, Police officers can be created separately and their profiles can be defined (4.17). The
email address and mobile phone fields are very important  since these informa<on will be used to send
no<fica<on messages to the users. The other fields are just informa<ve in order to keep a track of the
users.
By default, all the no<fica<ons are sent by email. If an email address is present in the field “mobile
phone” on the user profile page, this email address is considered to send an SMS to the user.
The   probes   can   now   be   added   to   the
infrastructure using their private IP address
on the VPN range as unique iden<fier. 
On   the   configura<on   page,   it   is   also
important   to   associate   the   probe   with   an
ongoing case, to indicate where this probe is
located and to define whether or not this
par<cular  probe is ac<ve (4.18).
If for any reason a probe is removed from the
infrastructure, it can simply be disabled to avoid alerts about its offline status. As soon as a new probe is
defined, the configura<on of the server is changed to begin monitoring it .
Illustration 4.19: Adding a recipient
Illustration 4.18: Configuration of a probe
Illustration 4.20: Adding a keyword

Once the case and the Police officers have been created, the next step is to define the recipients of
no<fica<on for this specific case (4.19). The number of recipients is not limited as many Police officers
from various Police units can deal with the same case at the same <me.
Likewise , the keywords for the case can be defined to create the filtering rules which are immediately
uploaded to the probes (4.20).
Once all these steps are completed, the global infrastructure should be up and running. The probes
should now be trying to detect the occurrences in the network stream of each Internet cafe where they
are installed. 
New cases can be created if needed and new probes or keywords can be added as well.
4.4  Inst   allation and conOiguration of a probe   
4.4.1  Installation of a Linux operating system on the probe   
For the purpose of this project, it is necessary to save the maximum amount of storage space and
memory on the router to make it capable of handling the requests from the worksta<ons on the LAN and
achieving all the required func<onali<es as bridging, IP filtering and HTTP request redirec<on.
For this reason, the distribu<on selected to be installed on the probes is OpenWRT Whiterussian RC6
micro, as it is the smallest OpenWRT release. Therefore it comes with a minimal number of pre‐installed
packages so addi<onal applica<ons have to be installed manually aherwards.
The image of the distribu<on can be downloaded from the OpenWRT website [431‐1] :
h.p://downloads.openwrt.org/whiterussian/rc6/micro/openwrt‐wrt54g‐squashfs.bin
Although there is a more recent version of OpenWRT available (kamikaze), it is not as suitable as
whiterussian to the requirements imposed by this project. In fact, it is bigger so there is not so much
space leh for extra applica<ons.
Aher downloading the distribu<on, the installa<on requires that the user connects to the default web
graphical interface installed on the router. As a DHCP daemon is enabled, connec<ng a computer to the
router with a cable and opening a browser with the URL of the interface (h.p://192.168.1.1) is sufficient.

It is strictly not recommended to flash a router through a wireless connec<on. It is mandatory to be
connected with a wire before going further.
A tab allows the user to upload and install a new firmware : h.p://192.168.1.1/Upgrade.asp
The browse bu.on makes it possible to select the firmware image on the local disk and the upgrade
bu.on will start flashing the router with it. Once this process is finished the router is simply rebooted
with the new distribu<on.
4.4.2  Password setting   
At  the  very beginning, once the  distribu<on has  been  installed   on  the  router,  the  equipment  is
configured with the default IP address 192.168.1.1. It is also set up to accept telnet login only without
any password. SSH access is disabled as long as a password for the root account has not explicitly been
set by the user. 
For this reason, and because being able to access the probe via SSH is required for administra<on
purpose, the first ac<on to execute on the router is se_ng up a password for the root user. 
So, from the command prompt :
telnet 192.168.1.1
# passwd root
Now, a password must be entered. It will be used subsequently by the root user to login to the probe. As
soon as the password is set, the telnet func<on of the router is deac<vated and the SSH daemon is
Illustration 4.21: Firmware update table

enabled on port 22 of the router.
4.4.3  SSH public key exchange   
To allow the server to login in automa<cally to the probe, it is necessary to add the SSH public key of the
server to all the deployed probes. Thus, the central server can connect the routers without asking for any
password and can update them remotely.
The SSH daemon on the OpenWRT distribu<on is named dropbear. The SSH public key of the server has
to be added to the /etc/dropbear/authorized_keys file, in the configura<on directory of dropbear. At
first, this file doesn't exist and has to be created and set the correct permissions. In order to be taken in
considera<on, the file “authorized_keys” has to be configured with no permissions for any user other
than root. 
touch /etc/dropbear/authorized_keys
chmod 0600 /etc/dropbear/authorized_keys
cat << FIN > /etc/dropbear/authorized_keys
ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIEAqb2JXka/LAITnHZg0jMCfSykiLkjAlMrM2qf9qnl/fpODRMPeHOWYUUSQVVvcir/Q/+
EMM6Dhr5oQ4zJ72dNBZPzYqfIZMit3T+8R3oE1r/tbD+kKQID9oRa9qnmThywpfjvr82/ap5uWqPx2LVtNVSPxpwHayCb9A
cT+3RMRPc= boolazputty
FIN
From now on, the root user on the central server is allowed to login to the probe with no prior password
authen<ca<on.
4.4.4  Network conOiguration    
1 Main network interface
The next step is the network configura<on. For the router to be able to operate as a bridge, it needs to
be configured to forward the packets received on one network interface to the other  and respec<vely in
a transparent way.
Moreover, the bridge needs to have an IP address assigned so that the probe can connect the Internet
and establish a connec<on to the central server through VPN link.
At last, as WIFI is not used in the scope of this project, wireless func<onali<es of the router are disabled
manually to make sure that the probe won't disclose its presence even with wireless networks scanning.
The following commands will take care of the network parameters set for the ini<al configura<on.

brctl addif br0 vlan1
brctl delif br0 eth1
nvram set wl0_radio="0"
nvram set lan_ifnames="vlan0 vlan1"
nvram set lan_ipaddr="10.201.16.46"
nvram set lan_netmask="255.0.0.0"
nvram set lan_gateway="10.201.16.45"
nvram set lan_dns="10.203.16.2"
nvram commit
First of all, a bridge is defined, combining the interfaces vlan0 (LAN port) and vlan1 (WAN port). Then the
wireless interface eth1 is disabled and the radio func<ons are switched off. Finally, the IP address and
the LAN configura<on (gateway, dns) are assigned to the bridge and the router is rebooted aher the new
values have been stored in the non‐vola<le memory of the router with the command “nvram commit”.
The values chosen for the ini<al configura<on of the network are given as an example. Indeed, they will
be modified later during the on‐site installa<on of the router to match the addressing scheme of the
local network the probe will be connected to.
2 Bridge alias
If a router has been used in an internet cafe to take care of a case, it's not obvious that the police officer
in charge will remember the private IP address he allocated to the router at the <me the probe was
installed.
For this reason, to allow connec<ng the router locally at any <me, a bridge alias is configured with an IP
address pertaining to a private IP addresses range (RFC 1918). For the purpose of this project a very
restric<ve network mask has also been used: 172.22.22.1/255.255.255.252. 
Then if the router has to be reconfigured without knowledge of the current configura<on, it will always
be possible to set a laptop with the IP 172.22.22.2 and to connect the probe whatever the main IP is.
The idea is to create a startup script that will add the bridge alias each <me the probe is rebooted. For
this purpose, the script /etc/init.d/S45bridge_alias has been added to the system with the following
commands :
touch /etc/init.d/S45bridge_alias
chmod 755 /etc/init.d/S45bridge_alias
cat << FIN > /etc/init.d/S45bridge_alias
#!/bin/sh
ifconfig br0:0 172.22.22.1 netmask 255.255.255.252
FIN

3 DNS Settings
To set up DNS servers on the probe, it is mandatory to first deac<vate the dnsmasq script which is
executed on the router by default each <me it is started. 
rm /etc/init.d/S50dnsmasq
Then a new script is created to take care of DNS configura<on during startup. The DNS server IP address
will be extracted from the lan_dns variable stored in the Non‐vola<le RAM .
cat << FIN > /etc/init.d/S51custom
# Set nameserver
echo "nameserver" `nvram get lan_dns` > /etc/resolv.conf
FIN
chmod +x /etc/init.d/S51custom
Then the rooter can be rebooted to take the new network parameters into considera<on.
reboot
4.4.5  Repositories settings   
As most Linux distribu<ons, the OpenWRT website provides repositories which make available for
download a list of packages compiled especially for this distribu<on. It also comes with a u<lity named
ipkg that allows the user to install and remove packages very easily.
To   achieve   the   current   project,   some   packages   from   the   backports   repository   are   required.
Unfortunately, this repository is not included in the default installa<on and has to be added to the
configura<on file of ipkg manually. Then the whole ipkg database needs to be updated.
echo "src backports http://downloads.openwrt.org/backports/rc6/" >> /etc/ipkg.conf
ipkg update
4.4.6  Deactivation of useless services   
The router used in the scope of this project has a very small amount of memory (only 16MB). For this
reason, it is necessary to save as much memory as possible. Indeed, as the router has to complete
several func<onali<es, it is required to start up the daemons for each of those services.
Therefore, it is recommended to deac<vate any service not considered as useful for this probe to
complete its job.
For instance, as telnet is not authorized any more, there is no need to keep the daemon in RAM.
Therefore the startup script s50telnet can be erased from the router.

rm /etc/init.d/S50telnet
Then the custom startup script named s51custom is updated to kill the useless tasks once the router has
booted up properly.
cat << FIN >> /etc/init.d/S51custom
#!/bin/sh
# Stop useless services
killall udhcpc
killall wifi
killall dhcpd
FIN
4.4.7  Security Hardening   
As   the   probe   is   going   to   be   used   in   an   hos<le   environment   (internet   cafe,   wifi   hotspot),   it   is
recommended to harden the security on it slightly prior to installing it in‐situ.
At this stage, telnet daemon has been disabled already. But there are s<ll two well‐known ports open on
the router. Dropbear (SSH daemon) is running on port 22 whereas HTTP daemon is opera<ng on port 80.
Binding those ports to the VPN interface only would have been a possible solu<on to solve this issue.
Unfortunately, the daemons provided by OpenWRT do not allow the user to restrict them to a specific
interface. Therefore, the idea is not to close the ports, as they will be used by the server to connect the
routers, but rather to change them so that they won't be discovered during a port scan.
Hence, the startup script for the HTTP service /etc/init.d/S50hCpd needs to be modified.
cat << FIN > /etc/init.d/S50httpd
#!/bin/sh
httpd -p 60080 -h /www -r OpenWrt
FIN
The last line of the dropbear script should now be replaced by the following one :
/usr/sbin/dropbear -p 60022
The next <me the router is started, the HTTP and SSH daemon will be running respec<vely on ports
60080 and 60022, which makes them more difficult to guess.
To further secure this probe, it is also possible to completely deac<vate HTTP server by commenta<ng
out the line launching the daemon in the  /etc/init.d/S50hCpd  script. In case the probe has to be
reinstalled from the very beginning and flashed again with a new firmware, it will be necessary to launch
the HTTP daemon manually in order to access the Web interface.

4.4.8  Virtual Private Network client   
In order to monitor and update the probe remotely, the server should be able to connect to it at
any<me, whatever the public IP address and type of connec<on (dynamic IP, sta<c IP) the site has.
Most of the <me, Internet cafes are connected to the Internet via broadband connec<ons. As a
consequence, the public IP they are sharing using NAT between the worksta<ons on their LAN is a
dynamic one. This is an issue from the server prospec<ve to iden<fy dis<nctly the probes which are
connected. 
Pu_ng in place a Virtual Private Network is a way to solve this problem. Indeed, as every probe has its
own private IP address pertaining the the VPN range, it can be iden<fied easily by the server. Moreover,
whenever the public IP address of the internet cafe changes, the private IP of the probe won't.
Therefore, it is straighporward to determine which probe the alert is coming from.
In the scope of this project, an open‐source VPN sohware called OpenVPN will be used, as it works
efficiently whatever the opera<ng system is. 
1 Setting a correct time and date
Actually, the <me of the router is always set to 01/01/2000 00H00 when it starts. This is an issue for
opening a connec<on with OpenVPN. To get the client part of OpenVPN configured to connect the server
via VPN properly, the <me on the router needs to be update first. The ntpdate package will take care of
this task. It allows the <me to be synchronized on the public <me servers.
ipkg install ntpclient
ntpclient -c 1 -s -h ntp.tuxfamily.net
Then the <me can be updated on a regular basis, adding the following line to the crontab of the router
0 * * * ntpclient -c 1 -s -h ntp.tuxfamily.net >/dev/null 2>&1
2 Installing OpenVPN
OpenVPN can now be installed on the router. As far as  the configura<on directory is concerned, it has to
be created manually.
ipkg install openvpn
mkdir /etc/openvpn
The OpenVPN configura<on file, the cer<ficates and keys generated by the server for this specific probe
have to be stored in the above created directory /etc/openvpn. This can be done by SSH via an SCP tool

as WinSCP.
openvpn.conf
ca.crt
client.crt
client.key
ta.key
ca.crt is the public key of the Cer<fica<on Authority, ta.key is a shared sta<c key for tls‐auth, whereas
the two other files are the public and private keys of the probe.
The following openvpn client configura<on file is provided as an example :
client
dev tun
proto udp
remote 88.191.58.238 61194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
tls-auth /etc/openvpn/ta.key 1
comp-lzo
verb 1
The “remote” variable should match the IP of the server and the port OpenVPN is running on. As
previously for HTTP and SSH, OpenVPN is not opera<ng on the default port (1194) but rather on a very
high port (61194) to avoid port scanning.
Then, in order to protect those files, the permissions are changed.
chmod 600 /etc/openvpn/*
Now the router can be rebooted 
reboot
3 OpenVPN test
The connec<on to the server can now be ini<ated aher the <me of the router has been changed.
openvpn --config /etc/openvpn/openvpn.conf
The probe should be able to connect the server properly. Also, a private IP address on the VPN range
should be issued by the server to the router.
On the server side, new records are wri.en in the file /etc/openvpn.log to indicate that the connec<on
has been established and the IP address has been issued to the client successfully.

ipole01/83.143.24.12:2056 TLS: new session incoming connection from 83.143.24.12:2056
ipole01/83.143.24.12:2056 VERIFY OK: depth=1,
/C=FR/ST=IDF/L=PARIS/O=ipole.fr/CN=vpn.ipole.fr/emailAddress=admin@ipole.fr
ipole01/83.143.24.12:2056 VERIFY OK: depth=0,
/C=FR/ST=IDF/O=ipole.fr/CN=ipole01/emailAddress=admin@ipole.fr
ipole01/83.143.24.12:2056 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
ipole01/83.143.24.12:2056 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC
authentication
ipole01/83.143.24.12:2056 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
ipole01/83.143.24.12:2056 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC
authentication
ipole01/83.143.24.12:2056 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
ipole01/83.143.24.12:2056 TLS: tls_multi_process: untrusted session promoted to trusted
ipole01/83.143.24.12:2056 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024
bit RSA
ipole01/83.143.24.12:2056 PUSH: Received control message: 'PUSH_REQUEST'
ipole01/83.143.24.12:2056 SENT CONTROL [ipole01]: 'PUSH_REPLY,route 192.168.93.0
255.255.255.0,ping 10,ping-restart 60,ifconfig 192.168.93.10 192.168.93.9' (status=1)
4 OpenVPN automatic startup
If the VPN connec<on is working fine, the startup script to launch OpenVPN automa<cally on startup can
be created and execu<on of the script can be allowed by se_ng the correct permissions.
cat << FIN > /etc/init.d/S50Openvpn
#!/bin/sh
openvpn --config /etc/openvpn/openvpn.conf --daemon
FIN
chmod 755 /etc/init.d/S50Openvpn
4.4.9  Syslog conOiguration   
As well as the decision has been made to save a maximum of resources on the router, it is useful to avoid
satura<ng the memory with log files. For this reason, the logs are exported to the central server through
the VPN connec<on. 
For this purpose, the IP of the server has to be set in the non‐vola<le RAM of the router 
nvram set log_ipaddr="192.168.93.1"
nvram commit
In the /etc/init.d/rcS file, one op<on is removed to inform the Syslog daemon not to write the log locally
but rather to export them to the server.
syslogd -C 16 ${syslog_ip:+-L -R $syslog_ip}
# replaced by
syslogd -C 16 ${syslog_ip:+ -R $syslog_ip)
Then the router can be rebooted to take the changes into considera<on and the local log files can be
accessed with logread to ensure they are empty.
reboot
logread

4.4.10  Transparent redirection of HTTP requests via proxy server   
In a previous sec<on, a proxy has been installed on the central server to relay the HTTP requests from
the client worksta<ons and to get rid of the issue caused by web page compression. Now, it is necessary
to get the requests forwarded to the proxy.
Configura<on can't be done individually on each worksta<on connected to the LAN of the monitored
site. For instance, if the Law Enforcement Agency has to monitor an internet cafe, the police officers in
charge of the case cannot afford configuring the network proper<es on each browser to connect the web
via their proxy. Also, it could be no<ced by a criminal as well as it would be easily deac<vated manually.
For this reason, it is necessary to intercept the requests transparently without any manual configura<on
of the browsers. As all the requests are   passing through the bridge, it is possible for the router to
iden<fy the HTTP requests and redirect them to the proxy instead of simply transmi_ng them to the
des<na<on server through its default gateway.
This feature, called transparent proxying is invisible from the user's prospec<ve. This is a good point in
the scope of this project as the offender cannot no<ce that the web pages he is currently visi<ng are
relayed and filtered by a monitoring equipment.
Once transparent proxying is in place, the probe starts redirec<ng the HTTP requests to the proxy
transparently, then the proxy removes the headers asking for compression, and finally forwards the
requests to the des<na<on server included in the ini<al HTTP request. As a consequence, the remote
server simply ignores the compression of web pages and sends the HTTP packets in clear text. This
allows the probe to inspect the HTTP packets and search them for requested keywords.
4.4.11  Event detection   
The main func<on of the probe is to no<fy the central server each <me an occurrence related to the
inves<ga<on case is detected on the local network. For this purpose the probe needs to be configured to
intercept and filter the data in real <me. Although the probe does not record any packet, it has to
analyze all of them in the network stream and raise a flag upon event.
Several tools are available for Linux to complete this task. For instance, TCPdump, Wireshark, or T‐shark
can sniff the network very efficiently. The problem in the current situa<on is that those tools are not
capable of logging or reac<ng to specific events on the network.

In the scope of this project, it is more appropriate to use another type of tool called Intrusion Detec<on
System (IDS). The most common one is called Snort and provides various useful func<onali<es. This tool
is capable of performing packet logging and real‐<me traffic analysis.
Ini<ally, Snort has been built to detect a.acks or illegal uses of the network and report them to the
network administrator. The current project is taking benefit of the content matching and logging
capabili<es of Snort to issue alerts each <me occurrences are detected.
1 Snort installation
As it is provided as a package, Snort can be installed with ipkg command.
ipkg install snort
For snort to work properly, two directories need to be created manually, one to store the rules and the
other one for the log files.
mkdir /var/log/snort
chmod 777 /var/log/snort
mkdir /etc/snort/rules
2 Snort test
Before configuring Snort to start up automa<cally with the router, it is necessary to make sure that it is
working properly. This command will simply make Snort listen on the br0 interface.
snort -i br0
This line should appear in the syslog file
Mar 2 15:40:44 192.168.93.10 kernel: device br0 entered promiscuous mode
Snort can now be stopped by hi_ng CTRL+C
3 Snort configuration
First of all, snort configura<on needs to be slightly modified to take into considera<on a new type of
event that the system is going to use. For this to be completed, a line has to be added to the file
/etc/snort/classificaAon.config. The following commands will take care of this.
cat << FIN >> /etc/snort/classification.config
config classification: ipole-event-detected,IPOLE Event detected,1
FIN
It defines a new type of event named “ipole‐event‐detected” that will clearly iden<fy the detec<on of an
occurrence on the network in the Syslog file of the server.

Then it is necessary to create a file for storing the rules for Snort. This file will be updated automa<cally
by the server so it can be leh empty for the moment.
touch /etc/snort/rules/local.rules
Then, the default op<ons for snort are defined in the /etc/default/snort file
cat << FIN > /etc/default/snort
INTERFACE="vlan0" # LAN
OPTIONS="-i $INTERFACE -c /etc/snort/snort.conf -D -N -q -s"
FIN
For the purpose of this project, vlan0 will be used as the default interface. As the probe should be able
to iden<fy the private IP of the worksta<on transmi_ng the packet with the matching payload, it is using
vlan0 because this interface represents the LAN side of the network. 
The other op<ons snort is currently using are
● ‐D : Run Snort in background mode
● ‐N : Turn off logging  (alerts s<ll work)
● ‐q : Quiet. Don't show banner and status report
● ‐s : Log alert messages to syslog
4 Automatic startup
Finally, a startup script has to be created as done previously for the other services
cat << FIN > /etc/init.d/S52snort
#!/bin/sh
DEFAULT=/etc/default/snort
LOG_D=/var/log/snort
RUN_D=/var/run
[ -f $DEFAULT ] && . $DEFAULT
PID_F=$RUN_D/snort_$INTERFACE.pid
case $1 in
start)
[ -d $LOG_D ] || mkdir -p $LOG_D
[ -d $RUN_D ] || mkdir -p $RUN_D
/usr/sbin/snort $OPTIONS
;;
stop)
[ -f $PID_F ] && kill $(cat $PID_F)
;;
*)
echo "usage: $0 (start|stop)"
exit 1
esac
exit $?
FIN
chmod +x /etc/init.d/S52snort

and the custom ini<aliza<on file is updated to create the directory for snort logs.
cat << FIN >> /etc/init.d/S51custom
# Create log directory for snort
mkdir /var/log/snort
chmod 777 /var/log/snort
FIN
4.4.12  ConOiguration for automatic onsite installation   
To   ease   and   quicken   the   on‐site   installa<on,   a   script   called  /root/onsite_install.sh  has   been
programmed, provided as  appendix 8.1. It allows the probe to be quickly reconfigured. This script
updates the main network configura<on of the router and resets the rules snort is using for filtering web
traffic.
The parameters updated by this script are : IP address, network mask, dns servers and default gateway.
They need to be set to the parameters of the internal network of the site to monitor.
Once this script has been executed the probe should be connected to the Internet again and the VPN
connec<on is established with the central server.
The filtering rules will be updated aherwards by the GUI on central server
4.5  Onsite installation of a probe   
4.5.1  ConOiguration of the probe   
The probe has now been configured properly to operate in an automated manner as soon as it has
booted up and it is connected to the LAN. 
No ma.er the size of the network in a cyber cafe, all the worksta<ons on the LAN are usually connected
to a single switch/hub or cascaded switches. The probe has to be plugged on the wire between the
switch and the router connec<ng the site to the Internet. Then it can be powered on.
As soon as the probe is started, it begins forwarding the packets from one network interface to the
other. That means the network connec<vity is only disrupted during the boot procedure of the router.
Immediately aherwards, it is restored and the worksta<ons have access to the the Internet again. As a
consequence, a good prac<ce is to install the probe at a moment not many people are using the
computers to avoid the customers no<cing something is happening on the network.

Once the probe has booted up properly, it has to be provided with a new IP address in accordance with
the internal IP assignment policy of the site. Of course, this IP address should not be allocated to another
network equipment already. Although it is not mandatory since the probe has to act as a bridge between
two networks, alloca<ng an IP address to this equipment allows the probe to access the Internet and
establish connec<on with the VPN server.
In order not to spend much <me configuring the LAN parameters on the probe during the on‐site
installa<on, the configura<on script created in chapter 4.4.12 is used. 
The police officer in charge has to configure his laptop with the IP 172.22.22.2, pertaining to the private
IP range shared with the router (chapter 4.4.4). Using an SSH client like pu.y [461‐1], he can connect the
SSH  server  on   the  router,  listening  on   the  IP   172.22.22.1  port   60022.   Then  he  can   execute  the
configura<on script  /etc/onsite_installaOon.sh  and enter all the parameters of the network he is
currently connected to.
Once this opera<on has been performed and the configura<on has been confirmed, the router is
restarted to use the new parameters. The router is now connected to the Internet again so it can
establish the connec<on with the VPN server.
4.5.2  Is the probe connected ?   
The probe is configured to establish the connec<on with the server as soon as the Internet is accessible.
From his laptop, the inves<gator can check that the probe is currently connected. Using the SSH server
as done previously, he can make sure that the VPN tunnel has been created correctly with the ifconfig
command. A new network interface named tun0 should be present with an IP address allocated.
br0 Link encap:Ethernet HWaddr 00:18:39:C6:21:E6
inet addr:10.201.16.46 Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
collisions:0 txqueuelen:0
RX bytes:4029932 (3.8 MiB) TX bytes:2160158 (2.0 MiB)
br0:0 Link encap:Ethernet HWaddr 00:18:39:C6:21:E6
inet addr:172.22.22.1 Bcast:172.22.255.255 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.93.10 P-t-P:192.168.93.9 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
collisions:0 txqueuelen:100
RX bytes:946908 (924.7 KiB) TX bytes:374899 (366.1 KiB)

Then, the police officer can check that the remote end of the VPN is reachable with the ping command.
# ping 192.168.93.1
PING 192.168.93.1 (192.168.93.1): 56 data bytes
64 bytes from 192.168.93.1: icmp_seq=0 ttl=64 time=40.0 ms
--- 192.168.93.1 ping statistics ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max = 36.7/37.7/40.0 ms
On the server side, the file  /etc/openvpn‐status.log  has been updated. The IP address of the probe
should be present in this file. Otherwise, the connec<on issues can be fixed by examining the openvpn
log file /etc/openvpn.log.
# cat /etc/openvpn/openvpn-status.log
OpenVPN CLIENT LIST
Updated,Fri Dec 21 10:01:53 2007
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
ipole01,82.120.170.116:2056,788218,1408783,Thu Dec 20 18:10:34 2007
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
192.168.93.10,ipole01,82.120.170.116:2056,Fri Dec 21 10:01:52 2007
GLOBAL STATS
Max bcast/mcast queue length,1
END
It is assumed that the probe is now connected to the VPN so it is available for remote administra<on
from the central server. It can be monitored and the changes made in the IPOLE user interface can now
be sent to the probe.
The whole system is now totally in place. From now on, every occurrence detected on this LAN will be
reported to the central server. Email and SMS will then be issued by this server to the law enforcement
unit in charge of the case.

5 Descrip<on of results
5  Description of results
The whole infrastructure is now up and running. The efficiency of this solu<on has to be assessed in
order to determine how suitable it is to address the global issue iden<fied previously.
For the purpose of the experiments, the following parameters are used : 
● the ADSL line under monitoring uses the public IP 82.120.163.83 (the reverse name is Aputeaux‐
152‐1‐53‐83.w82‐120.abo.wanadoo.fr). 
● The worksta<ons on the LAN are using IP addresses on the 10.X.X.X range
● The exit router is using the IP address 10.202.16.45 (b2d8.fon.loc)
● The central server is using the IP address 83.143.24.12 (www.ipole.fr)
5.1  transparency of the probe   
As stated in a previous sec<on, the probe needs to be invisible and transparent on the LAN it is
connected to. For security reasons, to ensure that nobody connected locally can guess the IP of the
probe, the Network Address Transla<on has been deac<vated and the probe is opera<ng as a bridge.
All the traffic on the LAN is transmi.ed through this network bridge which inspects all the packets, picks
up HTTP requests only and sends them to the proxy located on the central server. This means that any
other type of packets should be transmi.ed through the default gateway on the LAN without any prior
redirec<on. 
For instance, a Traceroute command should not be able to display the IP of the probe in the hop list.
# traceroute www.yahoo.co.uk
traceroute to www.yahoo.co.uk (217.12.3.11), 30 hops max, 40 byte packets
1 b2d8.fon.loc.10.in-addr.arpa (10.202.16.45) 1.281 ms 1.798 ms 2.375 ms
2 81.253.131.73 (81.253.131.73) 43.758 ms 44.470 ms 47.317 ms
3 tengige0-0-0-4.pastr1.Paris.opentransit.net (193.251.250.5) 48.290 ms 48.513 ms 51.484 ms
4 teleglobe-5.GW.opentransit.net (193.251.250.6) 51.706 ms 52.602 ms 52.792 ms
5 if-13-0-0.core3.PG1-Paris.teleglobe.net (80.231.72.17) 55.149 ms 33.586 ms 34.938 ms
6 if-10-0.mcore3.L78-London.teleglobe.net (80.231.72.42) 42.935 ms 43.930 ms 44.307 ms
7 195.219.144.26 (195.219.144.26) 43.555 ms 45.166 ms 42.932 ms
8 195.219.195.49 (195.219.195.49) 44.808 ms 43.121 ms 42.621 ms
9 195.219.195.2 (195.219.195.2) 42.797 ms 42.481 ms 42.629 ms
10 ix-8-1.core1.LDN-London.teleglobe.net (195.219.48.174) 44.121 ms 42.514 ms 42.563 ms
11 ge-1-1-0.msr1.ukl.yahoo.com (217.12.0.229) 44.021 ms 42.502 ms 43.874 ms
12 ge-1-13.bas-a1.ukl.yahoo.com (217.12.0.209) 43.354 ms 43.204 ms 42.480 ms

13 alteon1.34.ukl.yahoo.com (217.12.6.6) 43.528 ms 43.510 ms 44.800 ms
14 alteon1.34.ukl.yahoo.com (217.12.6.6) 43.236 ms 43.884 ms 43.909 ms
This Traceroute, executed from a worksta<on connected to Internal LAN, does not reveal the presence of
the probe. There is no prior router in front of the default gateway (10.202.16.45).
As another example, during an FTP connec<on to a remote FTP site (for instance sd.fw1.org), the IP
address logged by the des<na<on server should be the public IP of the Internet cafe, not the IP address
of the proxy.
May 16 11:22:40 sd.fw1.org proftpd[23574] sd.fw1.org (APuteaux-152-1-53-83.w82-
120.abo.wanadoo.fr[82.120.163.83]): FTP session opened.
120.abo.wanadoo.fr[82.120.163.83]): ANON anonymous: Login successful.
120.abo.wanadoo.fr[82.120.163.83]): Preparing to chroot to directory '/home/ftp'
120.abo.wanadoo.fr[82.120.163.83]): FTP session closed.
120.abo.wanadoo.fr[82.120.163.83]): FTP session opened.
120.abo.wanadoo.fr[82.120.163.83]): ANON anonymous: Login successful.
120.abo.wanadoo.fr[82.120.163.83]): Preparing to chroot to directory '/home/ftp'
120.abo.wanadoo.fr[82.120.163.83]): FTP session closed.
The above FTP logs reveal that the packets have not been redirected through any other server. The probe
has simply let the packets go from the worksta<on to the router on the LAN and then onto the Internet.
5.2  Direct HTTP connection without proxy redirection   
In the following example, a standard connec<on established to the Live.com website has been analyzed
in details to understand what is the content of regular HTTP packets transmi.ed from and to a common
webmail.
Illustration 5.1: Live.com login page

HTTP Request
Firefox, the web browser used in the scope of this analysis clearly indicates in the HTTP request  that it is
capable of dealing with compression. Internet explorer and most common browsers would have done
the same. 
As highlighted below, the HTTP request contains a ﬁeld called “Accept‐Encoding” that oﬀers the remote
server the choice of compressing the data prior to sending them to the client.
GET / HTTP/1.1
Host: www.live.com
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.14) Gecko/20080418 Ubuntu/7.10
(gutsy) Firefox/2.0.0.14
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q
=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
HTTP Reply
As  a  consequence,  the   server   takes   this   ability   of  the   browser   in   considera<on   and   performs  a
compression of the content with GZIP. Of course, Firefox will decompress the data prior to displaying
them in the browser window. 
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
P3P: CP="NON UNI COM NAV STA LOC CURa DEVa PSAa PSDa OUR IND",
policyref="http://privacy.msn.com/w3c/p3p.xml"
Vary: Accept-Encoding
Content-Encoding: gzip
Cache-Control: private, max-age=0
Date: Fri, 16 May 2008 08:47:16 GMT
Content-Length: 5860
Set-Cookie: SRCHUID=V=1&GUID=E733C59FA62B46158F49AC021E07DEED; expires=Mon, 20-Jul-2015
23:59:59 GMT; path=/
Set-Cookie: mkt1=norm=en-FR; domain=.live.com; path=/
Set-Cookie: mkt2=ui=en-US; domain=www.live.com; path=/
Set-Cookie: AFORM=NOFORM; expires=Mon, 20-Jul-2015 23:59:59 GMT; path=/
Set-Cookie: SFORM=NOFORM; expires=Fri, 16-May-2008 09:07:16 GMT; path=/
Set-Cookie: SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20080516; expires=Mon, 14-May-2018 08:47:16 GMT;
path=/
Set-Cookie: SRCHSESS=GUID=65561A5906FC4B14A842B4BFA3262780&flt=0&PerfTracking=0&TS=1210927636;
expires=Fri, 16-May-2008 09:07:16 GMT; path=/
...........[yS.....~
Ey.{.e..^.).......fn%y....5..#.,..w
..t...bH.Uf...._......_.....T.G.W..|...
DQ.....I.1..+...]~Tt.........=.6...TE.G.r.h<>>j.m..f.........x.GRO..l......of..S...;..y.QB]....
(...><X..(..N....C.|
/.^T...TU.....8.H.wC..S...<.^..6..o..............7....}T.+.B...:.;.vy...4....#Vps...Bk._.C.C.L:
..D.t.z_43?.......B...i6E........_yQ.|G..b|a..Vw .|..t....k......O.Vs`...nS.M....l.9p
.[........w.
.j$>............^4.Xk..o.o

Ks...Y...g..= .@6...Cpg...VA.3
*...b.).
3....Y];...[...Hs.dF.j.9}..U-.,
c...a.....j.]........Ymw.......v.......;..........v..;8;...;=..?...N.-...?
>=....Q@.U.)Q............)@e.g...c..z.r...FuV..k....-.
m.......3..67.1..........N...B;....4.......|R..6......q.7.S.....O.G...C..|
7Z.....uI.....W.....[.......t.?.....p..6.6..v...N.....":zpB.t'zN.S.Xs.&..p.'Ww.......^8..E..._
.u...Y..N.......&..L..-..Mh.y..G1.n......uq..&..d.:.......>]...A..
.Y,..N.!..I..%.4..](z...X(..~...................@.e...H.E....H|...
r..Z.xO'9.n..6...$.i.F..*._...$R.0J]..QQ......h@?.......R.Q..5.........).A.mj..a.c6
:S{..$.<.#..=`4...6.1.......i..5..%3.......#5...c;c...^..)X@}J...<<
......@#.".[.l.[.8S.,t...pA...V.n.d.....K..U...Z....vt.2...a..qO.<Bp..uf.p..u%g...p.C...Q.-...
...
T(.....7sTwG)....'<...U....".S..8....4.!.`.<......V..F[.b..[..W!.Gn.b.=9}Z...=.....{...._..4..
.....-..m.......x..
.{.F.>...I..mM.I.Iq.....u.5.Cm.../y.wh..i.'......u.U,.....
..!.rT$...r~C....nUZt.
[..*....#/K.....O0o..f.............F......!x.`,.......]..CB..cT.F.[.=^9..7r.r.l@.....b!~..
..w......g|..t6>....,...D.J.....k._K...0.....z3.....G...t.*..
....._..4...Y.)U..D....R.E.+Uj...O.s.%*.s.|.{N9.>4...M3vC.........Y....5
B............dj.^..s".c.....Y.~.zZ.`.
..i..M$Y......9..+N....;o..`.....r.X......E..-.......
..q...6.;.~..o.p.rVvHx...[`|.
<......u.)'....e.........../Hp.GP......vQ_$.i.............).e6..E..4.F...&P..Y...Z%...../.N.Zd
.8.d.NT......i..n..x..S....k+....-......]/..Gbt.*....E).%.}..."....^.(/./.@..1.].+.Rb
e...x.%%~t'...zN..nX....f>..>?.....s+ 44.#+...q<C..w./3...;./qg?.N>......2...K.23B.F.r..S...g
[.Pi..%{eE0s`...(...n.!.p.......
n...Q.5^.......x)Y=.kY{s....M.!.P....W.3s d....``t.Z...{.FKk..=.........--~.E.]..>...
.../V./#W.bA....@6.k.H..?Y.P.obq{.....}vz:..".~*.....O...7gB...}KN.s..?1.?@......|...}
ìI..^..p..J.d?_....'v*...u...........p..x..T{.k.W3g..@$......."..).n.n.n..y......Wo....#...H.
ew..#d...8...
I....x.z..OyRbI..X..MH..$..m...~.|..1..U.C..
From a law enforcement prospec<ve, it is really a big issue because the probe is not powerful enough to
decompress and filter the flow in real <me. 
Netstat on the workstaOon
On the worksta<on, the list of ac<ve connec<ons reveals that this computer is currently connected to
the port 80 of two remote servers. This means that the connec<ons are currently established directly
and no hijacking is applied to the request before sending it.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 1231 0 10.1.1.29:52784 213.251.187.177:80 CLOSE_WAIT
tcp 832 0 10.1.1.29:46716 212.180.1.29:80 CLOSE_WAIT
tcp 0 0 10.1.1.29:44743 80.15.236.159:80 ESTABLISHED
tcp 1066 0 10.1.1.29:58646 213.251.187.177:80 CLOSE_WAIT
tcp 0 0 10.1.1.29:44742 80.15.236.159:80 ESTABLISHED
Netstat on the central server
A quick look to the connec<ons on the proxy shows that, although the port 8888 is wai<ng for
connec<ons, no remote computer is currently connected to this server.   
tcp 0 0 192.168.93.1:3306 0.0.0.0:* LISTEN

tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN
tcp 0 0 192.168.93.1:8888 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1688 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp6 0 0 :::60022 :::* LISTEN
udp 0 0 0.0.0.0:1024 0.0.0.0:*
udp 0 0 0.0.0.0:1025 0.0.0.0:*
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp 0 0 0.0.0.0:689 0.0.0.0:*
udp 0 0 0.0.0.0:3130 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
5.3  Indirect connection to the server (redirection via Proxy server)   
To filter the data efficiently, it is mandatory to remove this compression. Indeed, the sohware dealing
with detec<on can only look for strings in clear text. If the content is compressed, it will never match
with any defined rule.
As indicated in a previous chapter, since it was impossible for the probe to decompress the content in
real <me, the choice has been made to relay the requests via a proxy server located on the central server
to get rid of the fields dealing with compression in the HTTP request. 
HTTP request sent by the workstaOon
GET / HTTP/1.1
Host: www.live.com
Accept:
=0.5
Keep-Alive: 300
Here is the original request sent by the worksta<on. The field “Accept‐Encoding” is s<ll present claiming
that the browser is capable of handling compressed payload. 
HTTP request relayed by the proxy
Now that transparent proxying is enabled, the request is relayed by the proxy server and the “Accept‐
encoding” field is removed. A new field “Via” is added to inform the des<na<on server that the request
is transmi.ed through a proxy server.
GET / HTTP/1.0
Host: www.live.com
Connection: close
Via: 1.1 Localhost

Accept:
=0.5
HTTP Reply
It appears in the capture below that removing the “Accept‐encoding” field has a significant repercussion
on the behavior of the des<na<on server. This <me, compression is discarded by the webmail site and
the content is sent in clear text. The “Via” field is set to “localhost” not to be no<ced even in case of
sniffing.
HTTP/1.1 200 OK
Via: 1.1 Localhost
Content-Type: text/html; charset=utf-8
X-AspNet-Version: 2.0.50727
Server: Microsoft-IIS/6.0
Expires: -1
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
Date: Fri, 16 May 2008 08:51:14 GMT
X-Powered-By: ASP.NET
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:web xmlns:sp class="Firefox FF_Other FF_M2
FF_D0">
<head>
<title>Windows Live Home</title>
<link rel="icon" href="http://shared.live.com/NcS3O7GPQ3QEg6zMe04JEw/imgs/home.ico" />
<link rel="shortcut icon"
href="http://shared.live.com/NcS3O7GPQ3QEg6zMe04JEw/imgs/home.ico" />
<script> <link rel="StyleSheet"
href="http://shared.live.com/WdQf!T5Hy8cXAvScneTQw6bLWm6OqO5XvRSHcwsTIfwvI-
p0HBrbYlJtI7mE2b9Q/base/1.1348/hig+start.css" type="text/css"/>
</head>
<body>
<div class="start_top">
<div class="start_toplt zindex5" style="heigth:80px;background-repeat:no-
repeat;width:500px;background-
image:url(http://shared.live.com/NcS3O7GPQ3QEg6zMe04JEw/imgs/w/ServiceDown.png)">
<div class="start_signin">
<span class="slash large">|</span>
<a
href="http://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1210927874&rver=4.5.2135.0&wp=M
BI&wreply=http://home.live.com/default.aspx&lc=1033&id=251248">
Sign in
</a>
</span>
</div>
--- THIS PART OF THE PAGE HAS BEEN TRUNCATED ---
</body>
</html>
Netstat on the workstaOon

Since transparent proxying is used, the redirec<on through the proxy is not obvious on the worksta<on.
The following netstat shows that the connec<ons made to the servers are s<ll direct ones.
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 1231 0 10.1.1.29:52788 213.251.187.177:80 ESTABLISHED
tcp 832 0 10.1.1.29:46719 212.180.1.29:80 CLOSE_WAIT
tcp 0 0 10.1.1.29:44746 80.15.236.159:80 ESTABLISHED
tcp 1066 0 10.1.1.29:58649 213.251.187.177:80 ESTABLISHED
tcp 0 0 10.1.1.29:44745 80.15.236.159:80 ESTABLISHED
Netstat on the server
However, the same netstat performed on the server shows that the probe with the VPN IP address
192.168.93.10 has established connec<ons to the port 8888 (proxy server). The connec<ons are now
intercepted transparently by the probe, redirected to the port 8888 of the server through the VPN
tunnel and then sent to the des<na<on server (88.191.59.236) on the port 80.
tcp 0 0 192.168.93.1:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN
tcp 0 0 192.168.93.1:8888 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1688 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 192.168.93.1:8888 192.168.93.10:48521 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48537 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48529 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48520 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48536 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:58731 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48523 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48539 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48531 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48522 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48538 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48530 TIME_WAIT
tcp 0 0 192.168.92.80:4180 88.191.59.236:80 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48541 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48533 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48524 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48540 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48532 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48527 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48543 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48535 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:58734 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48526 TIME_WAIT
tcp 0 0 192.168.93.1:8888 192.168.93.10:48534 TIME_WAIT
tcp6 0 0 :::60022 :::* LISTEN
udp 0 0 0.0.0.0:1024 0.0.0.0:*
udp 0 0 0.0.0.0:1025 0.0.0.0:*
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp 0 0 0.0.0.0:689 0.0.0.0:*
udp 0 0 0.0.0.0:3130 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*

5.4  Common Webmail sites   
Common rules
Conﬁden<ality is always crucial for private communica<ons. A huge number of users tend to connect
their accounts from public internet accesses as Internet cafes or WIFI hotspots. Thereby, the majority of
the common webmail sites use cryptography during the authen<ca<on process.
The main drawback of cryptography is the heavy use of computer resources. To avoid consuming too
much CPU <me encryp<ng and decryp<ng pages, webmail providers have made the choice of using
HTTPS during the authen<ca<on process only.
As soon as the user has been authen<cated, the HTTPS session is terminated and hands over to HTTP for
displaying the content of the mailboxes and body of the messages. Thus most of the browsing on
webmail sites is using clear text.  
EX : Gmail
On the login page of the website GMAIL.COM above, the protocol used for the authen<ca<on process is
HTTPS. The webpage is encrypted with SSL. When the creden<als have been transmi.ed to the webmail,
the remote site issues a cookie to the client.  It is impossible for the probe to intercept strings in the
HTTPS content. 
Illustration 5.2: Gmail login page

Even if the offender logs in with his username “badguy4ipole” under monitoring, the probe won't be
able to detect the string and to send a no<fica<on.
However, this is not really a big issue since intercep<ng the password is not required in the scope of this
project. The only important thing is to detect the user as soon as he is connec<ng his account.
Therefore, even if the username or the email address is not detected at the stage the authen<ca<on
occurs, as soon as the SSL session is terminated, the probe will detect the relevant informa<on in the
content of the page. As it appears on the illustra<on 5.3 below, the username or the email address
appears very ohen on every page of the webmail site.
The above network flow captured with the sniffer Wireshark shows that the SSL session is ended and a
new session in HTTP is started to request the inbox page (GET /mail/)
Illustration 5.4: SSL session hands over to HTTP
Illustration 5.3: Gmail email list

This is the content of the HTTP packets sent by the browser when reques<ng a specific email message.
GET /mail/ HTTP/1.1
Host: mail.google.com
Accept:
=0.5
Keep-Alive: 300
Cookie: GX=DQAAAG4AAABb1q21b2Dn8byDI_O76oXJR0eWdm409qmpp0tYY4y5Q6_hQ8m0aV6RG0G1a_LS-
ICoMsfka7V_Tr2bzPVGWZeAPBAfd38hMQSVv-dGRKTcxiLiAEAkyxisLyLT_OS5aVK7i1Ywx3ONMl4U1zyGoGjT; TZ=-
120; GMAIL_RTT=647; GMAIL_LOGIN=T1210934434068/1210934434068/1210934513433;
SID=DQAAAG0AAAB2rWh-6aSxPVlkughsrEc85ZW-Y-
HtkftFp5ej3Ef2ZRmD06sVEfyPrr8Goig5Tq8dzP2ocbopBMf3ohm0rnTJr8GIepKnqbtODvzDn_b7QhSyYdYJ5Okdn68Qp
-adTzdCHJiMd9yqT1a1kKEfZDFT
It can be observed that the reply is in clear text HTTP as well. The body of the email the whole content of
the page can now be filtered and analyzed efficiently by the probe.
If a filter is defined on the string badguy4ipole or ewonders, the probe will be able to detect the
presence of these occurrences in the body of the web page. 
HTTP/1.0 200 OK
Via: 1.1 Localhost
Content-Type: text/html; charset=UTF-8
Server: GFE/1.3
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Date: Fri, 16 May 2008 10:41:43 GMT
Illustration 5.5: Email detail

Set-Cookie: GMAIL_LOGIN=EXPIRED; Domain=.google.com; Expires=Thu, 15-May-08 10:41:43 GMT;
Path=/
Set-Cookie: GMAIL_AT=xn3j305qgl3irdc1uf2396j8h0j7qo; Path=/mail
Set-Cookie: S=gmail=TfV06wAO2V7F0MknZ_JrBw:gmail_yj=1QUSR9J9_rxeRkQAnPA3kw:gmproxy=Mo-
mBKR71gk:gmproxy_yj=ZMhTm5yNTD4:gmproxy_yj_sub=OGstQO-ZCLc; Path=/mail
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Gmail</title>
<link rel="shortcut icon" href="/mail/images/favicon.ico" type="image/x-icon">
<link rel="alternate" type="application/atom+xml" title="Gmail Atom Feed" href="feed/atom" />
<script>
</script>
--- SOME TEXT HAS BEEN TRUNCATED HERE ---
</div>
<input type=text name=hist_state id=hist_state style=display:none>
<script>
var
globals={BUILD_CL:"7157386",BUILD_LABEL:"gmail_fe_503_p15",JS_VERSION:"zpuf6AhpH1w",JS_ARRAY_VE
RSION:"6",MODS:"T_k4pdTib5Lz",COOKIE_
PATH:"/mail",DEFAULT_PAGE_SIZE:50,ID_KEY:"9e9a24b29e",USER_EMAIL:"badguy4ipole@gmail.com",STYLE
SHEET_URL:"?ui=2&view=ss&ver=1dnrroapmzat8&am=T_k4pdTib5Lz",GENERAL_HELP_URL:"http://mail.googl
e.com/support/?ctx=%67mail",DBG_LOGGER_PREF:"",SHOW_BUILD_INFO:0,PRODUCT_NAME_TEXT:"Gmail",
PRODUCT_NAME_HTML:"Gmail",INIT_DATA:function(){return[["us","5b56df15058e89f2",[["l","images/2/
5/logo.png"],["n"],["m","New
features!"],["u"],["k","0"],["p","1000:500000,10,200000,5,100000,3,75000,2,0,1"],["h"]]],["ld",
[["î",1,-1,-1,1],["^t",-1,-1,-1,1],["^b",-1,-1,-1,1],["^f",-1,-1,-1,1],["^r",-1,0,-
1,1],["âll",-1,-1,-1,1],["^s",0,-1,-1,1],["^k",-1,-1,-
1,1]],[]],["qu","0","6728","0","#006633",0,
0,0,"0","6.6"],["ft",'<span class="l73JSe" id="__fti__ic"><b>Import contacts</b></span> from
Yahoo, Outlook, and others into your Gmail contact list.   <a style=color:#0000CC
target=_blank
href="http://mail.google.com/support/bin/answer.py?ctx=%67mail&hl=en&answer=8301">Learn
more</a>'],["cp",[1,1,1]],["p",["sx_tz","-120"],["sx_yjcap
s","1210886896145"],["ix_ca","1"],["sx_dl","en"],["bx_aa","1"],
["sx_pu"],["ix_pp"],["sx_sd","classic"]],["pi","Gmail","gmail_fe_503_p15","images/","html/","he
lp/","http://www.google.com/a/help/intl/en/","https://www.google.com/accounts/ManageAccount?ser
vice=mail&hl=en","en",0,,"https://www.google.com/accounts/PurchaseStorage?hl
=en","https://www.google.com/accounts/ManageStorage?hl=en","/mail/help/terms.html"],["ue",411,5
46,402,132,134,17,394,393,263,260,396,24,
385,264,304,307,443,512,444,309,445,446,311,447,312,317,316,318,186,292,295,416,421,182,301,183
,423,61,69,207,337,351,469,466,464,462,461,324,459,458,217,218,454,335,330,450,209,449,328,91,4
48,509,238,511,236,228,377,226,498,225,499,356,358,359,352,250,115,353,354,355,126,124,240,121,
363,241],["ui","badguy4ipole@gmail.com","badguy4ipole","gmail.com",0,0,"http://www.google.com/c
alendar/","https://www.google.com/accounts/ManageAccount?service=mail&hl=en",
"FR"],["uiv",50],["kb",[]],["mv",[0,"t75tfc7596rw"],[1,"12yxbiqyr77cu"]],["cfs",[],[]],["ama",-
1,5],["og",1,'<div id=gbar><nobr><span class=gb1><b>Gmail</b></span>
<script>var VIEW_DATA=function(){return[["v","zpuf6AhpH1w","6","5b56df15058e89f2",""]
,["ub",[["î",1210934503539]
,["^f",1210934503539]
,["^k",1210934503539]
,["âll",1210934503539]
,["^t",1210934503539]
,["^r",1210934503539]
,["^s",1210934503539]
,["^b",121093
4503539]
]
,1210934503285]
,["ti","Inbox",2,0,2,"in:inbox",[]
,"3",-1,0,2,0,[]
]
,["tb",0,2,["119ee7ffe903dc37","119ee7ffe903dc37","119ee7ffe903dc37",1,0,["âll","î"]
,[]

,"u003cspan classu003d"k62PNc" emailu003d"ewonders@yahoo.com"u003eSteve E-
wonderu003c/spanu003e","u003cbu003eu0026raquo;u003c/bu003eu0026nbsp;","ransom","Hello,
The family of the victim has just asked me how much we are going to ask for the guy. I
u0026hellip;",0,"","","May 15","Thu, May 15, 2008 at 11:32 PM",1210887184437900]
,["119ee7b98b7f5015","119ee7b98b7f5015","119ee7b98b7f5015",0,0,["âll","î"]
,["âll","î"]
]
,["te"]
,["fb",["fr","Web Clip","ESPN.com","Webb spins rare 9-0 start; D-backs sweep
Rockies","http://sports.espn.go.com/mlb/recap?gameIdu003d280515129u0026amp;campaignu003drss
u0026amp;sourceu003dESPNHeadlines",,"1210918333000",]
,["fr","Web Clip","BusinessWeek Online --","US Mu0026amp;A: The Big
Thaw?","http://www.businessweek.com/investor/content/may2008/pi20080515_859749.htm?campaign_id
u003drss_daily",,"1210911540000",]
]
,["e",7,1210934503554,944,1755]
]};</script></body></html>
Yahoo & WindowsLive (hotmail)
On the two other most popular webmail providers Yahoo and WindowsLive (hotmail), the authen<ca<on
process is also done via HTTPS. HTTP is used aherwards to send the real content of the mails.
Illustration 5.6: Authentication using HTTPS

Although it seems to be an HTTP session on Windows Live Hotmail, the page is redirected to an
encrypted one by a javascript code and the authen<ca<on is again in SSL.
Illustration 5.8: Live.com login page – Form submitted via HTTPS
Illustration 5.7: Content in HTTP

Then, the content of the mailbox is again transmi.ed in HTTP again. On the capture below, the email
address of the user appears on the webmail page. 
Illustration 5.9: Content in clear text again

5.5  Instant messaging   
Lots of users go into Internet cafes not only to send emails but also to communicate in real‐<me via
instant messaging sohwares. In the majority of the cyber cafes, it is possible to use this kind of sohware
very easily since they are installed on the worksta<ons already.
Criminals   can   also   use   instant   messaging   instead   of   Email   to   send   messages   as   this   type   of
communica<on doesn't generate as much logging informa<on. Although it is very common for a law
enforcement unit to ask a provider for email intercep<on, it is less frequent and not as obvious to
Illustration 5.10: MSN login window Illustration 5.11: MSN contact list

intercept instant messages, especially when they are sent from or to an Internet cafe.
Therefore it is crucial that the adopted solu<on is capable of intercep<ng instant messaging informa<on
in order to determine when the user logs on.
The most widely spread IM sohware is the one from Microsoh, called LiveMessenger. The open‐source
version of LiveMessenger which works on Linux systems is named aMSN. It is used for this experiment to
evaluate what informa<on can be seen on the network and to assess the results of the current solu<on.
The following network capture has been recorded during the connec<on to MSN network with aMSN.
VER 13 MSNP12 CVR0
VER 13 MSNP12 CVR0
CVR 14 0x0409 winnt 5.1 i386 MSNMSGR 8.0.0812 msmsgs ewonders@live.com
USR 15 TWN I ewonders@live.com
CVR 14 8.5.1302 8.5.1302 8.1.0178 http://msgr.dlservice.microsoft.com/download/5/6/4/5646481F-
33EF-4B08-AF00-4904F7677B89/EN/Install_WLMessenger.exe http://get.live.com
USR 15 TWN S
ct=1210943715,rver=5.0.3270.0,wp=FS_40SEC_0_COMPACT,lc=1033,id=507,ru=http:%2F%2Fmessenger.msn.
com,tw=0,kpp=1,kv=4,ver=2.1.6000.1,rn=1lgjBfIL,tpf=b0735e3a873dfb5e75054465196398e0
USR 16 TWN S
t=9zAIjbOU5DATuvEqQd6BgqQA6MzGgGQRvhTtpJejDHHmu!3i5Jyq3ZWiigjV34WV4SAxQuX!sXrc*d2YZTIjtt1dg3RhY
NMCPAvJq4!t4v67II4!cv6LNiL9JrQ0POSvQPbyYNKowIbI4$&p=99UbSQF7mD!5yB4RQQKYFOZqPiNNBQszZqeT*JoSQPO
Jtwvi8DmFQ1DBLDHyDgUCn6auOQllfDUI7ba30On5HDg*MpcTZLBgH1liQmcNi4NV!TmpvyLtZhHaDjdKNCKeHkB6fd3R9R
KrBOLcX*G0nz5UE9qgB1Oo7r1Oep5*joLJcI!7c6fR9cOjI!8o!H4Y7oiymF1GObLaM$
USR 16 OK ewonders@live.com 1 0
SBS 0 null
MSG Hotmail Hotmail 545
MIME-Version: 1.0
Content-Type: text/x-msmsgsprofile; charset=UTF-8
LoginTime: 1210943717
EmailEnabled: 1
MemberIdHigh: 196608
MemberIdLow: -2014487284
lang_preference: 1033
preferredEmail:
country: FR
PostalCode:
Gender:
Kid: 0
Age:
BDayPre:
Birthday:
Wallet:
Flags: 1073743427
sid: 507
MSPAuth:
9zAIjbOU5DATuvEqQd6BgqQA6MzGgGQRvhTtpJejDHHmu!3i5Jyq3ZWiigjV34WV4SAxQuX!sXrc*d2YZTIjtt1dg3RhYNM
CPAvJq4!t4v67II4!cv6LNiL9JrQ0POSvQPbyYNKowIbI4$
ClientIP: 82.120.163.83
ClientPort: 37833
ABCHMigrated: 1
MPOPEnabled: 0
SYN 17 0 0

SYN 17 2008-05-15T15:17:10.44-07:00 2008-05-16T06:11:55.223-07:00 1 0
GTC A
BLP BL
PRP MFN steve
It can be noted that the username appears at several <me within the exchange between the client and
the server. Also, the content of the communica<on appears in clear text. So the probe doesn't have any
problem detec<ng the string. 
5.6  Alerts issued   
As stated in a previous chapter, once an event has come up, arres<ng the offender is a ques<on of how
fast the local Police unit is to rush to the Internet cafe. Therefore, it is required that the Police officers in
charge of the case are informed in real‐<me that the criminal under monitoring has just logged in. The
adopted solu<on relies on an alert sent by SMS or/and  by electronic mail. 
In this example, the Police officers are informed that the string “ewonders@live.com” has just been
detected in the network flow passing through the probe 1. The alert also contains the date and <me of
detec<on, the name of the case, the physical loca<on of the probe, and the private IP address of the
worksta<on on the LAN.
This last piece of informa<on is par<cularly useful when the alert leads to a well equipped internet cafe.
Obviously, if a huge number of worksta<ons are installed in the facili<es, it is very difficult from a law
enforcement prospec<ve to quickly determine which worksta<on has triggered the alert.
Illustration 5.12: Example of alert

For this reason, since it is possible for the probe to detect it, the alert also contains the internal IP
address of the worksta<on involved. As soon as the Police is entering the Internet cafe, they can freeze
the situa<on, and ask the administrator to get them to the appropriate computer that uses this IP
address. 
As some telecommunica<on operators some<mes restrict the recep<on of SMS to its subject, as much
informa<on as possible is given in the “subject” and “from” ﬁelds of the SMS. In the example below, the
SMS   received   on   the   mobile   phone   informs   the   Police   oﬃcers   that   IpoleProbe1   has   detected
“ewonders@live.com”. Further informa<on can be downloaded from the site of the operator. However,
the given informa<on is enough to iden<fy urgently which probe has triggered the alert. 
Of course, not all mobile phones provide the ability to receive and display mail directly. Therefore, SMS
can be used instead. 
Illustration 5.14: Alert by EmailIllustration 5.13: Alert by SMS

5.7  Assessment of the performance in a real situation   
5.7.1  Description of the experiment   
So far, all the tests have been made with one computer only with the goal of determining how this
system reacts to the detec<on of keywords transmi.ed in the network flow by this computer. It is also
necessary to assess how this infrastructure is impacted by the growing number of worksta<ons on the
local area network.
In an Internet cafe, each customer is using a computer for a different purpose, some for wri<ng an email,
some for browsing the web pages of their favorite web sites. Wri<ng an email can take a while without
changing the web page on the screen whereas regular browsing of web portals can be done at a higher
rate.
For achieving the following experiment, up to 16 worksta<ons are used simultaneously on a LAN
connected to two 18Mb/s ADSL lines. The switch is connected to the gateway routers through the probe
and all the HTTP requests are intercepted transparently and relayed through the proxy hosted on the
central server. Each browser is visi<ng a different website (webmail sites, news sites, commercial web
sites) with Firefox 3 at the rate of 1 page every 6 seconds. This delay is intended to simulate the real
usage of the internet by a regular web user. 
In order to evaluate the load on the probe, two criteria can be examined : the CPU percentage per
process and the average load of the CPU. A dis<nc<on has to be made between both these two values.
The CPU percentage is the amount of <me a process was found to be using CPU during a <me interval.
Thus it is a real‐<me state of the CPU load, an instantaneous snapshot. Contrarily, the load average
measures the trend in CPU u<liza<on and includes all wai<ng demand for the CPU. It reflects the length
of the queue of the processes wai<ng for their turn to be executed by CPU. Therefore, in the scope of
this test, the performance is measured by analyzing the load average because it shows the whole picture
of the processor u<liza<on.
The load average is composed of three values. They refer to the past one, five and fiheen minutes of CPU
load and reflect the average load of the CPU during the corresponding intervals of <me. 
The load average has to be considered with regards to the overall number of processors available on the
system. A load value of 1 on a mono‐processor computer means that the CPU is working at its op<mal

rate (100%)  with no pending job whereas a value of 0.5 roughly shows that the processor is used half of
the <me only.   In fact, a full use of the processors corresponds to an average load value of 1 per
processor.
For another example, a load average of 2 on the bi‐processor computer indicates that each processor is
used at 100% without any process wai<ng in queue to be executed.
When the value exceeds the number of processors, it indicates that the processor is used at 100% (busy
all the <me) and there are processes wai<ng for the CPU to be free. 
Finally, whatever the number of processors, a load average of 0 means that the CPU is in a idle state.
Thus, when the third load average (15‐min load average) is 0.00, it clearly indicates that the processor
has been doing nothing for ﬁheen minutes.
At the end of the day, the load average values give a
trend, from 15 minutes to the last minute of the
CPU usage and the pending processes wai<ng for
CPU resources. It helps determining if a physical
processor is under of over‐u<lized.
In order to measure the usage of the CPU resources
on the router, the load average is recorded while
Illustration 5.15: Result of a "top" command on the probe
Illustration 5.16: Content of /proc/loadavg

increasing the worksta<ons on the LAN. The load average can be displayed by using the "top" or
"up<me" u<li<es or simply by lis<ng the content of the virtual file /proc/loadavg.
5.7.2  Results of this experiment   
The following table depicts how the load average (5‐mn) of the system is impacted by adding new
computers on the LAN and using them for browsing web pages. 
As the load is stable during the test, the load average (15‐mn) reflects perfectly the load average (5‐mn).
Concerning the load average (1‐mn), the <me interval is a bit too short to be really significant since it is
more responsive. So with the goal of mi<ga<ng the impact of a single ac<on on the global load, the 5‐
minutes average has been chosen for this experiment.
 workstaOons 5‐mn load problems & delays websites visited
1 0,18 None gmail.com
2 0,21 None gmail.com, yahoo.com
4 0,28 None gmail.com, yahoo.com, expedia.com, airfrance.fr
8 0,80 None  gmail.com, yahoo.com, expedia.com, airfrance.fr,
cnn.com, microsoh.com, apple.com, lemonde.fr
16 1,35 None  gmail.com, yahoo.com, expedia.com, airfrance.fr,
cnn.com, microsoh.com, apple.com, lemonde.fr,
amazon.com, sncf.fr, clubic.com, securityfocus.com,
wikipedia.com, lexpress.fr, linuxfr.org, ryanair.com
Table 5.1: Increase of the load in relation with the number of workstations used
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
0,00
0,10
0,20
0,30
0,40
0,50
0,60
0,70
0,80
0,90
1,00
1,10
1,20
1,30
1,40
load
Number of workstations
CPULoad

5.7.3  Conclusion of the experiment   
From observa<on of the system load during this test, the system is not significantly overloaded even
with 16 computers connected. Whatever the sites the computers were browsing, the load average never
got carried away. The load on the system was stable during each step of the experiment. With 16
computers browsing  at a rate of 1 page every 6 seconds (rela<vely quick rate), the load average value at
5 minutes stabilizes to a value of 1.35, which is not considered as being a high value [57‐1].
This is confirmed by a subjec<ve observa<on of responsiveness of the worksta<ons involved. No
problem of <meout or unusual delay have been no<ced during the test.  Whatever the number of
worksta<ons (up to 16), the browsing was s<ll quick and the browsers got all the requested web pages
properly in a reasonable delay that even appeared to be short.
Furthermore, some detec<on tests have been made at the <me the load average value was 1.35. Every
<me a string under monitoring was sent by a worksta<on by logging in to a webmail for instance, the
no<fica<on alerts came to the mobile phone within a maximum <me of 5 seconds.
Therefore, it can be stated from this experiment that a probe can take care of filtering a 16 ports switch
with no par<cular issue. Since most internet cafes are equipped with a maximum of 10 to 15 computers,
the system designed in the scope of this project appears to be sufficient for intercep<ng keywords on the
LAN of a cyber cafe.
A bigger network is seldom connected to a switch with more ports. Usually, the network is  segmented in
groups of 16 computers connected to different switches with the appropriate number of ports. For big
LANs, a solu<on would be to use a probe for every single switch. It means that this infrastructure could
be used to monitor a network composed of more than 16 computers , even if the test has not been
made so far, due to the lack of availability of such a LAN for test purpose. 
Another solu<on could be to replace the router by a more powerful equipment (Linksys WRTSL54GS at
266MHz instead of 200MHz for WRT54G) or by a laptop opera<ng on Linux, composed of two network
cards and configured with the same packages and files. This way, it would be able to join the current
infrastructure and act as a regular probe.

6 Evalua<on and Discussion of results
6  Evaluation and Discussion of results
The chapter 3.3 has iden<fied some requirements a good solu<on should provide to address the global
issue exposed at the beginning of this disserta<on. The adopted solu<on has to be assessed in order to
determine if the results fit the needs in terms of monitoring internet cafes from a remote loca<on.
6.1  Project achievements   
1 Fast pinpointing of the internet cafe
When an event is detected in one of the internet cafes under monitoring, it is required to get the local
police forces being able to dis<nguish very quickly in which cyber cafe the event comes up. For this to be
completed, it was necessary not to rely on the public IP address of the internet line. In fact, as the IP
addresses change dynamically on a regular basis, it would have been necessary for the Law Enforcement
Agency to request the iden<fica<on of the IP address from the Internet Service Provider.   
The selected solu<on is using a VPN to connect the probes together with the server. Therefore, whatever
the dynamic IP address of the Internet cafe, the unique and fixed VPN IP address of the probe won't
change. The central server will always be able to iden<fy explicitly the probe from which the alert has
been sent.
In the current situa<on, the first step of iden<fying the public IP address is useless. No further delay will
be imposed during this step. Accordingly, the loca<on of the cyber cafe can be done immediately by the
server and the local Police forces don't have to wait for the ac<on of a third party.
2 Quick discovery of the workstation used
Most intercep<on systems are located outside the premises to monitor. Hence, since network address
transla<on is used by the router to masquerade the packets from the worksta<ons, it is impossible for
the intercep<on system to determine the involvement of each single worksta<on on the local network.
From outside the LAN, every packet seems to originate from the public IP address of the router.
In terms of iden<fying the offender, ge_ng the IP address and even the whole network traffic of the
Internet cafe is not sufficient. In fact, ge_ng to the Internet cafe very quick is a good thing but being able
to focus more precisely on the worksta<on at the source of the alert is very important. For this to be

done, it is necessary to get its internal IP address.
As the probe used in the scope of this project is installed with the coopera<on of the manager of the
internet cafe, it can be plugged directly on the Internal network before Network Address Transla<on
occurs. 
Therefore, it can extract the private IP address of the worksta<on present in each packet. This private IP
address is included in the body of the no<fica<on sent to the Police officers. With this IP address, they
can pinpoint the user very precisely, even if there is more than one hundred computers in the premises.
Thereby, this solu<on will avoid a very long forensic examina<on of each hard drive present in the cyber
cafe.   The   Police   will   be   able   to   immediately   focus   on   the   relevant   computer   involved   in   their
inves<ga<on.
3 Remote administration of the probes
For secrecy purpose, it was necessary to being capable of upda<ng the probe remotely. The system
designed in the scope of the adopted solu<on allows the Law Enforcement to update the probes from a
remote loca<on. The Police officers don't have to go to the Internet cafe to connect the probe locally. 
The probes are updated in real <me with one single ac<on in the graphical user interface hosted on the
central server. If any keyword is added for instance, it is spread over the VPN network and pushed to the
probes which are parts of the current case.
4 Reliability and security
The probes are also monitored by the VPN server to ensure they remain online on a permanent basis.
Also, they can be controlled through an SSH connec<on by the administrators of the central server. 
All the sensi<ve content is transmi.ed from the probes to the server over this VPN tunnel. The server
itself is protected by a firewall that filters the incoming and outgoing packets and discard those that
don't match the defined filtering policy. 
The server is hosted in a data center that provide all the equipments to ensure its permanent availability.
(inverter, network redundancy via several operators). 

With regards to the integrity of the data on the server, a RAID 1 array has been put in place to mirror the
informa<on wri.en to the disk on a second hard drive to ensure that a physical failure of a storage
device won't have any bad consequence on the availability of the server. 
The backup scripts have been programmed to make an encrypted copy of the important data of the
server and to send them to a remote FTP site. 
5 Real time detection
One of the key point of the solu<on is its ability to detect events in real <me and to send alerts instantly.
The current solu<on relies on the intrusion detec<on system named snort to catch the sought strings in
real <me. This sohware is very responsive and ensures that no delay will be added.
Once the detec<on has occurred, the no<fica<on email is sent by the central server immediately. The
delays are shortened as much as possible to inform the Police officers that a string has been iden<fied.
6 Costs
Amongst the other requirements, the adopted system had to be an affordable one to ensure that even
the smallest Police unit will be able to put in place this kind of intercep<on. Since exis<ng solu<ons were
very expensive, it was required to design a system based on open‐source sohwares and cheap network
equipment.
The overall price of the infrastructure is really low as regular SOHO routers are used as probes. No
specific equipment has been made up. All the sohwares used to build this solu<on are open source and
can be used freely.
7 Tailor-made solution to support multiple investigations at the same time
The infrastructure has been designed  to be able to support mul<ple users and mul<ple inves<ga<ons at
the same <me. The central Law Enforcement agency can define many cases through the GUI. They can
add as many police officers, probes and keywords as they wish to those case.
Even if the infrastructure is controlled from a central loca<on, it can be used to monitor many other
loca<ons over the whole country. Only the local Police officers responsible for the case will be informed
in case of keyword detec<on of a keyword they are monitoring in the scope of their own inves<ga<on.

Since it is a tailor‐made and a home‐made solu<on, it is possible to get it evolve to fit new requirements
that may arise without relying on a third party private company.
6.2  Future work   
1 Growing bandwidth of broadband network connections
As public internet access is becoming faster and faster, the bandwidth of Internet cafes is constantly
growing. Some of them are now equipped with a connec<on over 10Mb/s.  
The current solu<on is based on SOHO routers equipped with built‐in 100Mb/s network ports. It is not
feasible to change the network port on the device because it is soldered on the main board and neither
is it possible to plug an addi<ve network card in order to increase the throughput  of the device.
The server also has a 100Mb/s connec<vity. Most common hos<ng companies do not provide gigabit
connec<vity to the Internet. Although it is possible to rent this kind of high rate links for specific purpose,
they are s<ll very expensive.
This project has to evolve to follow the constant increase of the bandwidth of Internet connec<ons. Thus
it will stay appropriate for this kind of intercep<ons.
2 Alternative characters encoding
This project has been thought with the goal of detec<ng strings made of la<n characters. It is not yet
appropriate for the intercep<on of alterna<ve character sets like cyrillic, arabic, greek or hebrew
alphabets.
In order to make this intercep<on solu<on suitable for any Police unit whatever the country, those
alphabets have to be considered as well. 
3 management of the probes by local police officers
The current solu<on can be configured through the Graphical User Interface which is hosted on the
central server. This server is controlled by the central law enforcement agency which is responsible for
managing the infrastructure.

Therefore, if any new keyword needs to be added to the filtering rules, it is up to the central law
enforcement agency to do it. In no way can the local police officers in charge of the case add new strings
to the database himself. The central server has been configured to be accessed by the central Law
Enforcement Agency only. 
A substan<al improvement could be to consider the possibility for the local police to add new keywords
in the inves<ga<on cases they are dealing with. It would allow them to be more reac<ve when they
come across a new email address for instance.
Furthermore, if the infrastructure is used na<onwide, it will avoid that the central law enforcement
agency is being overwhelmed with managing the keywords on behalf of each local police service. Thus
the central unit will just have to manage the probes and the cases instead.
6.3  Fields of application   
1 Internet cafe
As described in a previous chapter in this disserta<on, the main goal of this infrastructure is to control
filtering probes placed simultaneously in several internet cafes from a central loca<on. Internet cafe are
the most suitable premises to monitor with this kind of probes.
Generally speaking, cyber cafes have many worksta<ons connected to the Internet through a router and
a regular DSL or cable connec<on. The router allocates a private IP address to each worksta<on
connected on the local network.
Since the current infrastructure is capable of detec<ng keywords and extrac<ng the private IP from
which this event originates, it is much appropriate to achieve the task of monitoring internet cafes
remotely. 
2 Small Company
It could be easily imagined that an employee uses the network of the private company he is currently
working for to commit an offense online. This employee uses  webmail to connect to his private email
address and start blackmailing for instance.
Iden<fying the email address which sent the e‐mail and analyzing the email header, the police will easily

get the public IP address of the company. However if the company is not equipped with a logging device
or a sohware as a proxy server for instance, it is going to be difficult to pinpoint the worksta<on the mail
was sent from. 
A probe could be used with the goal of formally iden<fying the worksta<on and the user. This probe
could be plugged on the network of the company, right before the exit router to intercept the private IP
address of the computer involved, the next <me a user logs  to his webmail using this specific email
address.
To some extent, the current solu<on could solve this kind of issue. Of course, it can be effec<ve on bigger
networks as well but the limited throughput of the probe has to be kept in mind.
3 Wifi hotspot
At present, delinquents are increasingly using WIFI networks to perpetrate their crimes. It is very easy for
someone who want to commit an offense online to connect a WIFI hotspot from his laptop in order to
access the Internet.
There are mainly two kinds of WIFI hotspots : commercial hotspots and free wireless accesses. 
If   the   criminal   wants   to   connect   the   Internet   from   a   commercial   hotspot   pertaining   to   a
telecommunica<on operator such as Orange for instance, he needs to create an account and to give his
creden<al since his account will be charged with the fare. Whatever the creden<al and the medium used
to pay for the connec<on (mobile phone account, credit card), it won't be difficult for the Police to
iden<fy the user.
On the other hand, if the offender is using a free wireless hotspot for instance in a restaurant or a non‐
protected private WIFI network, iden<fying this person is going to be much more problema<c.
When   a   delinquent   has   iden<fied   an   open   WIFI   network   he   can   use   to   connect   the   Internet
anonymously, he tends to come back to the same access point every <me he needs to be connected.
Therefore, the current infrastructure can also have a posi<ve effect if the connec<ons occur from a WIFI
hotspot, should it be an open hotspot or a commercial one.
Effec<vely, if the Police contrive to iden<fy the IP address from which the perpetrator was surfing when
he was connected to the Internet, they can go to the owner of this IP address to install a probe.

The next <me the suspect returns to this place, the probe will behave exactly as seen previously. The
probe won't have to deal with the WIFI signal. Since it is connected on the wire between the access
point and the router, it will be capable of detec<ng and sending no<fica<ons any<me a wireless client is
transmi_ng a string that matches a filtering rule.
Thereby, the field of applica<on of the current project can be extended to WIFI hotspots with no specific
transforma<on, because it does not rely on wireless sniffing but on wire intercep<ons instead. 
6.4  Comparison with commercial interception / protocol analysis   
systems
Although it is not yet capable of filtering every rate of network flow, has limita<ons in terms of
throughput and supports occidental alphabet only, the adopted solu<on has been designed as a reliable
and secure system capable of pinpoin<ng immediately the premises from which the detec<on originates.
It also provides the internal IP address beyond NAT of the worksta<on involved to ease and quicken
forensic analysis. 
It can send no<fica<ons by email and/or SMS in real‐<me to many police officers from various units,
upon detec<on of sought occurrences in the network stream.
Because it is a tailor‐made solu<on based on open‐source sohwares and cheap network equipments, it is
very affordable by any Police unit and can be improved to fit new requirements if some were iden<fied
subsequently. Furthermore, as the development of the current solu<on doesn't rely on a private
company, it can be modified reac<vely with no addi<onal costs.
In comparison to the alterna<ve exis<ng systems iden<fied in chapter 3.2, it is a discreet way of
intercep<ng data on a private local area network providing public internet, assuming the manager
cooperates with the Police.
Due to the size and the cumbersomeness of the previously exis<ng solu<ons it is hardly conceivable to
put in place these types of equipments within the premises of an Internet cafe some<mes equipped with
just a small number of worksta<ons. Adding a discreet probe which looks like a router can be thought of
more reasonably. It doesn't arouse the curiosity of the customers as much and can be easily included in
the exis<ng network infrastructure of a cyber cafe.

The exis<ng solu<ons are very costly and, because the kind of intercep<ons this project is about require
to put a device in each premises under monitoring, an appliance could be used just to monitor one
loca<on at a <me. Therefore, it would be necessary to rent or to buy many of those expensive
appliances.
Also, the exis<ng equipments would require from the Police to update the filtering rules separately on
each device. There is no way to update them all in one single opera<on. Instead, the exis<ng solu<on
can update the rules remotely in a distributed way simultaneously on each probe connected to the
system.
All the solu<ons, either the exis<ng ones or the one described in the scope of this disserta<on provide a
graphical user interface to configure the filtering rules and the way the no<fica<ons are sent to the
Police. 
The following table summarizes the func<onali<es and characteris<cs of the exis<ng and current
solu<ons. 

CHARACTERISTICS NETDETECTORLIVE QOSMOS Q‐WORK 6 BLUEYE PROJECT CURRENT SOLUTION
TYPE Autonomous appliance Autonomous appliance Autonomous appliance Centralized solu<on based
on a set of probes and a
central server
COST several thousands of euros several thousands of euros price list not available
(certainly very expensive
given the type or
hardware used)
60€ per linksys router –
regular computer for the
server
SOFTWARE proprietary sohware proprietary sohware open‐source sohware
available for law
enforcement
Open‐source sohware
available for law
enforcement
NOTIFICATIONS IN REAL‐
TIME
alarms on detected events alert mechanism Yes no<fica<ons sent by email
and SMS
SPEED up to 10Gb/s ethernet and
fiber
1Gb/s half duplex (but only
filters 200Mb/s)
1Gb/s up to 100Mb/s ethernet
SIZE / WEIGHT 1U / 2U appliance 1U appliance
3.4” x 27.5” x 17.5”
63.9Lbs (29Kg)
3U appliance
5.25” x 19” x 27”
84Lbs (38Kg)
Server : 
Regular computer
Probes :
1.89" x 7.87" x 7.32"
1.06 lbs (490g)
PROTOCOLS Email, web, intant
messaging, hp, p2p, MS
office files, base‐64 text 
P2P, web services, mail, chat Any kind of protocols
(layer 7 sniffer)
HTTP (compressed and
non‐compressed pages),
instant messaging, all
protocols in clear text
ARCHIVAL records the traffic
con<nuously and can
recreate the context
(146GB hard drive)
Every packet is recorded in a
local or distant database
Complete TCP sessions
are recorded in a MySQL
database
No recording except
packets containing the
detected strings, stored in
a MySQL database
GRAPHICAL USER
INTERFACE 
GUI accessible from a
remote loca<on over HTTP
and HTTPS
GUI No GUI – Configura<on
via a set of text files
GUI accessible from a
remote loca<on over HTTP
via a VPN tunnel
ALTERNATIVE ALPHABET
SUPPORT
Yes NC No No
SECURITY Embedded kernel firewall
and hardened OS
NC NC Firewalls on both the
probes and the server
Transmission of data
through a VPN channel
MULTI SITES
SIMULTANEOUS
MONITORING
No No Yes Yes
TRANSPARENCY Yes Yes Yes Yes
PRIVATE IP OF THE
WORKSTATION RECORDED
Yes Yes Yes Yes

In conclusion, it emerges from the preceding paragraphs that the adopted solu<on, although it is s<ll to
be improved in some way, provides an eﬀec<ve and appropriate approach to solve the ini<al issue of
intercep<ng occurrences in network stream of a remote local networks. 
The current solu<on is aﬀordable for any Police Unit and suitable for most of the Law Enforcement needs
with regards to struggling against criminals who use public Internet access for commi_ng cyber crime. 

7 List of references
7  List of references
Chapter 2
[2‐1] Aqsacom – Lawful IntercepOon for IP Networks ‐ 09/2005
h.p://www.aqsacomna.com/us/index.cfm?iAr<cleID=48
[2‐2] ImageStream – Network Monitoring White Paper
h.p://oem.imagestream.com/Monitoring_White_Paper.PDF
[2‐3] Robert Graham – Sniffing (Network wiretap, sniffer) FAQ ‐ 14/09/2000
h.p://web.archive.org/web/20050221103207/h.p://www.robertgraham.com/pubs/sniffing‐
faq.html
[2‐4] Decision Computer – White paper for E‐detecOve system (wired) ‐ 09/2007
h.p://www.edecision4u.com/edecision4u/data/Wired_E‐Detec<ve_White_Paper.pdf
[2‐5]  Dr Thomas Porter ‐ The perils of Deep packet inspecOon ‐ 11/01/2005
h.p://www.securityfocus.com/infocus/1817
[2‐6] NetOpOcs – White paper : deploying Network Taps with intrusion detecOon system
h.p://www.netop<cs.com/products/pdf/Taps‐and‐IDSs.pdf
[2‐7] Simson Garfinkel : Network Forensics : Tapping the Internet ‐ 26/04/2002
h.p://www.oreillynet.com/pub/a/network/2002/04/26/ne.ap.html?page=1
[2‐8] Allot CommuncaOon : Digging deeper into Deep Packet InspecOon (DPI) ‐ 04/2007
h.p://www.getadvanced.net/learning/whitepapers/networkmanagement/Deep%20Packet%20I
nspec<on_White_Paper.pdf
[2‐9] CommunicaOons Assistance for Law Enforcement Act
h.p://en.wikipedia.org/wiki/Communica<ons_Assistance_for_Law_Enforcement_Act
Chapter 3.2

7 List of references
[321‐1] Niksun NetDetectorLive appliance : h.p://www.niksun.com/NetDetectorLive.htm
[322‐1] Qosmos Qwork : h.p://www.qosmos.net/rubrique.php3?id_rubrique=2
[323‐1] Blueye project : h.p://www.blueye.it
Chapter 4.1
[412‐1] Hardware versions of WRT54G : h.p://en.wikipedia.org/wiki/WRT54G
Chapter 4.2
[425‐1] Tinyproxy website : h.p://<nyproxy.sourceforge.net
Chapter 4.3
[431‐1] OpenWRT website : h.p://openwrt.org/ 
[4310‐1]  HTTP Headers : h.p://www.w3.org/Protocols/rfc2616/rfc2616‐sec14.html
[4311‐1]  Ebtables : h.p://ebtables.sourceforge.net 
Chapter 4.6
[461‐1] Pumy : h.p://www.chiark.greenend.org.uk/~sgtatham/pu.y/
Chapter 5.7
[57‐1] Load average, how it works : h.p://www.teamquest.com/resources/gunther/display/5/

8 Appendices
8  Appendices
8.1  Automatic onsite installation script   
This script  /etc/onsite_installaOon.sh  is intended to be executed during the on‐site installa<on. It is
aimed at reconfiguring the main network parameters to match those of the local network the probe is
inserted on.
#!/bin/sh
# /etc/onsite_installation.sh
echo "===================================================="
echo "This is a quick configuration script for IPole probe"
echo "It allows the probe to match the local parameters of"
echo "the LAN it is connected to"
echo "===================================================="
while [ "$all_ok" != "Y" ] && [ "$all_ok" != "y" ]
do
echo ""
echo -n "IP Address : " && read lan_ipaddr
echo -n "Netmask : " && read lan_netmask
echo -n "Gateway : " && read lan_gateway
echo -n "DNS server : " && read lan_dns
echo ""
echo -n "Is everything correct ? (Y/N) " && read all_ok
done
nvram set lan_ipaddr=$lan_ipaddr
nvram set lan_netmask=$lan_netmask
nvram set lan_gateway=$lan_gateway
nvram set lan_dns=$lan_dns
nvram commit
8.2  OpenVPN client conOiguration Oile sample   
This is a sample of a client configura<on file for OpenVPN. This file will be added to the archive file
generated by the VPN server to all of its clients. This file has to be named client.conf.sample and stored
in the /etc/openvpn directory of the server.
client
dev tun
proto udp
remote [IP_ADDRESS] [PORT]
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
tls-auth /etc/openvpn/ta.key 1
comp-lzo
verb 1

8 Appendices
8.3  ConOiguration Oiles for the backup procedure   
The three following files are parts of the backup procedure. The script backup.sh is the backup script
itself and is configurable by modifying a set of op<ons. The two other scripts define the directories to
include and to exclude.
8.3.1  backup.sh   
#!/bin/sh
# BACKUP SCRIPT
# Options to modify
GPGRECIPIENT="admin@ipole.fr"
FTPSITE="ftpperso.free.fr"
FTPLOGIN="ftp_login"
FTPPASS="ftp_password"
# Daemons to stop and to start
STOPDAEMONS="apache2 mysql"
STARTDAEMONS="mysql apache2"
# Other options
dpkg --get-selections > /tmp/selections.txt
COMPUTER=`hostname -f`
BASEDIRECTORY="/root/backup"
DIRECTORIESLIST="$BASEDIRECTORY/backup.incl"
DIRECTORIESEXCLUDE="$BASEDIRECTORY/backup.excl"
TIMEDIR="$BASEDIRECTORY/last-full"
TAR="/bin/tar"
BACKUPDIR="/backup"
EXT="tar"
GZIP=Y
MD5=Y
VERIFY=N
DM=`date +%a`
# Backup procedure
if [ "$VERIFY" = "Y" ]
then
CHECK="--verify"
else
CHECK=""
fi
for DAEMON in $STOPDAEMONS
do
/etc/init.d/$DAEMON stop
done
cd /
NEWER=""
if [ -f $BACKUPDIR/$COMPUTER-$DM-full.$EXT ]; then
rm $BACKUPDIR/$COMPUTER-$DM-full.$EXT
fi
BKFILE=$COMPUTER-$DM-full
$TAR $NEWER $CHECK -cvpf $BACKUPDIR/$BKFILE.$EXT -X $DIRECTORIESEXCLUDE -T
$DIRECTORIESLIST
for DAEMON in $STARTDAEMONS
do
/etc/init.d/$DAEMON start
done

8 Appendices
if [ "$GZIP" = "Y" -a ! "$BKFILE" = "" ]
then
cd $BACKUPDIR
gzip $BKFILE.$EXT
mv $BKFILE.$EXT.gz $BKFILE.tgz
EXT="tgz"
fi
if [ "$MD5" = "Y" -a ! "$BKFILE" = "" ]
then
cd $BACKUPDIR
rm $BKFILE.$EXT.md5 2>/dev/null
md5sum $BKFILE.$EXT > $BKFILE.$EXT.md5
fi
if [ -f $BKFILE.$EXT.gpg ]
then
rm $BKFILE.$EXT.gpg
fi
gpg --encrypt -r $GPGRECIPIENT $BKFILE.$EXT
rm $BKFILE.$EXT
lftp -c 'open -u '$FTPLOGIN','$FTPPASS' -e "mirror --reverse --only-newer /backup/ /"
'$FTPSITE
8.3.2  backup.incl   
/tmp/selections.txt
/etc
/root
/var/spool/cron/crontabs
/var/lib/mysql
/var/www
8.3.3  backup.excl   
# empty by default

8 Appendices
8.4  Firewall scripts   
The following scripts on.sh and oﬀ.sh allow respec<vely to enable or disable the ﬁrewall on the server
8.4.1  on.sh   
###############################
### SCRIPT ON.SH ###
###############################
#!/bin/sh
# Variables to configure to match the configuration of the server
EXT_IP="88.191.58.238"
VPN_IP="192.168.93.1"
VPN_RANGE="192.168.93.0/24"
EVERYWHERE="0/0"
# Disables the current firewall
/etc/firewall/off.sh
# No spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi
# loads the required modules
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe iptable_nat
# flushes all existing rules
iptables -F
iptables -X
# init of NAT and MANGLE tables
iptables -t nat -F
iptables -t nat -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# how to log dropped packets
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP
# how to log accepted packets
iptables -N LOG_ACCEPT
iptables -A LOG_ACCEPT -j LOG --log-prefix '[IPTABLES ACCEPT] : '
iptables -A LOG_ACCEPT -j ACCEPT
# everything is dropped by default
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

8 Appendices
# ALWAYS ACCEPTED #############
# LO (All packets are accepted on localhost)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# TUN0 (All packets are accepted on VPN interface)
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
# OUTGOING TO WAN #######################
# DNS (dns queries)
iptables -A OUTPUT -s $EXT_IP -d $EVERYWHERE -p udp --dport 53 -j ACCEPT
iptables -A INPUT -d $EXT_IP -s $EVERYWHERE -p udp --sport 53 -j ACCEPT
# SMTP (for sending alers)
iptables -A OUTPUT -s $EXT_IP -d $EVERYWHERE -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -d $EXT_IP -s $EVERYWHERE -p tcp --sport 25 -j ACCEPT
# FTP (debian updates)
iptables -A OUTPUT -s $EXT_IP -d $EVERYWHERE -p tcp -m state --state ESTABLISHED,RELATED -j
ACCEPT
# HTTP (debian updates)
# NTP (Time sync)
iptables -A OUTPUT -s $EXT_IP -d $EVERYWHERE -p udp --dport 123 -j ACCEPT
iptables -A INPUT -d $EXT_IP -s $EVERYWHERE -p udp --sport 123 -j ACCEPT
# TINYPROXY (proxy needs to be able to access websites)
iptables -A INPUT -d $EXT_IP -s $EVERYWHERE -p tcp --sport 80 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -d $EXT_IP -s $EVERYWHERE -p tcp --sport 443 -m state --state
ESTABLISHED,RELATED -j ACCEPT
# INCOMING FROM WAN ######################
# SSH 60022 (SSH is on port 60022 on this server)
iptables -A OUTPUT -s $EXT_IP -d $EVERYWHERE -p tcp --sport 60022 -j ACCEPT
iptables -A INPUT -d $EXT_IP -s $EVERYWHERE -p tcp --dport 60022 -j ACCEPT
# AUTH 113
iptables -A OUTPUT -s $EXT_IP -d $EVERYWHERE -p tcp --sport 113 -j ACCEPT
iptables -A INPUT -d $EXT_IP -s $EVERYWHERE -p tcp --dport 113 -j ACCEPT
# VPN 61194 (VPN clients need to be able to connect the server)
iptables -A OUTPUT -s $EXT_IP -d $EVERYWHERE -p udp --sport 61194 -j ACCEPT
iptables -A INPUT -d $EXT_IP -s $EVERYWHERE -p udp --dport 61194 -j ACCEPT
#################################
# ADITIONNAL RULES
#################################
# ICMP
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A FORWARD -p icmp -j ACCEPT
# Masquerade VPN Clients
iptables -t nat -A POSTROUTING -s 192.168.93.0/24 -o eth0 -j MASQUERADE
# Remaining packets are simply dropped
iptables -A FORWARD -j DROP
iptables -A INPUT -j LOG_DROP
iptables -A OUTPUT -j LOG_DROP

8 Appendices
echo ""
echo "[FIREWALL ENABLED]"
8.4.2  off.sh   
###############################
### SCRIPT OFF.SH ###
###############################
#!/bin/sh
# Default Policy : ACCEPT
#
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#
# Also for NAT table
#
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
#
# Flushes existing rules
#
iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X
# Firewall disabled
echo "[FIREWALL DISABLED]"

Pattern detection in a remote LAN environment (EN)

More Related Content

Viewers also liked

Similar to Pattern detection in a remote LAN environment (EN)

Recently uploaded

Pattern detection in a remote LAN environment (EN)