In a word.. no I'm not sure because I haven't seen it here. That is not an indication that it isn't necessarily there. Of course I'm testing using an smp machine that isn't doint anything else but that sooo it may not be a valid test. I'll ask you about more symptoms of that off line and get back to the list with a summary. I just peeked a NeTraMet. again - still looks neat. I looked at it last summer or fall and had decided that I really didn't want an SNMP mib hollering my traffic statistics to the world so that stealth attacks can come in more easily. But I'll look at it again... Does anyone have any benchmark data for it? Then I'll look at my isp's netflow settings on their router. :-) I've never looked hard at the security of cisco netflow. :-( Has anyone else? In similar veins, for more lightly loaded networks, you should check out ntop, and for heavier loads snort's logging. One other option is good old tcpdump or maybe logging in iptraf. I wanted to put this in the kernel to provide an almost binary bare sensor system to add just one more layer of fun and hassle for intrusion. Removable drive carriers allow export of the data to analysis stations because the sensors are so stripped as to make them virtually useless for any other function and hopefully devoid of most vulnerabilities. Kernel, sh, syslogd and a trivial filesystem should suffice. Maybe only kill, cp/mv and cron for log files.... As a matter of fact you should even be able to disable the IP stack and have it work. Call it the data motel security model and approach... :-) cheers, --dr On Tue, 15 Feb 2000, Andrzej Bialecki wrote: > On Sat, 12 Feb 2000, Dragos Ruiu wrote: > > > How to use it: > > -This patch makes the kernel log all ethernet packets to syslog. > > -The logging happens at the default level. I.e. normally on. > > -You can turn logging on and off at the console by using the Magic SysRq key > > and a number to change the logging level. > > -Put the interface into promiscuous mode: ifconfig eth0 promisc > > > > Notes: > > -It makes a neat hotkey sniffer when using the text console too. > > -It seems to run pretty fast. Any benchmark data welcome(-->drat_private). > > -try a tail -f /var/log/messages for real time display > > I was wondering... Are you sure it doesn't overrun the kernel message > buffer? I noticed that sometimes, when you produce tons of messages from > within the kernel, some of them are lost. > > I would rather use package as NeTraMet for doing this - it also does very > nice traffic compression in the form of flows - very fast, extremely > flexible, uses standard libpcap, doesn't require kernel patching etc... > > Andrzej Bialecki > > // <abialat_private> WebGiro AB, Sweden (http://www.webgiro.com) > // ------------------------------------------------------------------- > // ------ FreeBSD: The Power to Serve. http://www.freebsd.org -------- > // --- Small & Embedded FreeBSD: http://www.freebsd.org/~picobsd/ ---- -- dursec.com / kyx.net - we're from the future http://www.dursec.com learn kanga-foo from security experts: CanSecWest - April 19-21 Vancouver Speakers: Ron Gula/NSW, Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org, RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:35:33 PDT