RE: Network Traffic Monitor

["Burton M. Strauss III" <BStrauss () acm org>]

One of the clever things our users do with ntop is to create a filter that
eliminates 'normal' traffic.  You then use ntop to monitor for things you
don't expect to see.

For example, say you are monitoring your DMZ, where your mail server is
a.b.c.2 and your web server is a.b.c.3.

Running ntop with the filter (standard bpf filter syntax):

"not ((host a.b.c.2 and port 25) or (host a.b.c.3 and port 80))"

will collect only DMZ traffic other than the services you think you provide.

During one of the last worm attacks, one user created this type of instance,
identified the infected user and had them blown off the network inside of 15
minutes.  End of problem.

Check out the new v3.0 -- lots more stable, lots of new features and fixes -
available @ SourceForge!

-----Burton

> -----Original Message-----
> From: C.Brauckmiller () lek com [mailto:C.Brauckmiller () lek com]
> Sent: Wednesday, April 07, 2004 12:23 PM
> To: Jason Haith
> Cc: securityfocus
> Subject: Re: Network Traffic Monitor
>
>
>
>
>
>
> NTOP
>
> Both *nix and Win32 ports available.
>
> www.ntop.org
>
> Craig

<snip />



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------