I'm not usually one to gush, but this tool is way freakin' cool! I've already got it set up monitoring for new services in my production networks, and my mind is reeling with the possibilities. Couple suggestions, though. I've got enough stuff going on (been running it for ten minutes, have got nearly 1000 unique server ip/port combinations, over 500 unique servers, and around 200 unique service ports) that just doing the Top X or Bottom X or Last X doesn't show me the interesting things. I'd like to be able to show, for example, those things that have more than one hit but less than 100 in the last hour, for example. Or maybe a report that shows the things with one hit between 17:00 and 23:00 last night. Stuff like that. Also, my input is coming from a script that does a tcpdump in a loop, but if I just pipe the output directly to nbs, nbsdump blocks until I end the script. For example, if I do: tcpdump -i bge1 -c 100000 -n "tcp[13] &0x3f = 18" | /usr/local/scripts/nbs/getservers.pl | nbs -s -d servers then my nbsdump command will block until I stop the tcpdump. If, on the other hand, I have my tcpdump run as: /usr/sbin/tcpdump -i bge1 -c 10000 -n "tcp[13] &0x3f = 18 | /usr/local/scripts/nbs/getservers.pl >/home/nbs/servers.txt; /bin/cat /home/nbs/servers.txt | /usr/local/bin/nbs -s -d /home/nbs/servers then nbsdump completes immediately (albeit the output doesn't change until the tcpdump exits and restarts). Probably not a big deal, but it took me an hour of experimenting before I figured out how to deal with it. BTW, in case anybody's wondering the BPF I'm using will show only packets that have the only the TCP flags SYN and ACK set, indicating a successful connection to a service. My getservers.pl script pulls out the source field, which is in the format of %d.%d.%d.%d.%d, where the first 4 INTs are the IP address and the 5th one is the port. I'm using DJB's daemontools to handle restarting the tcpdump. Hmm. I wonder if there's a way to set this up to detect Internet clients that connect to a variety of servers one time each??? <runs back to keyboard, smiling freakishly> Jon _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Fri Sep 03 2004 - 10:58:57 PDT