Bugtraq mailing list archives
Re: Packet Tracing (linux klog patch)
From: dr () DURSEC COM (Dragos Ruiu)
Date: Thu, 17 Feb 2000 02:17:22 -0800
In a word.. no I'm not sure because I haven't seen it here. That is not an indication that it isn't necessarily there. Of course I'm testing using an smp machine that isn't doint anything else but that sooo it may not be a valid test. I'll ask you about more symptoms of that off line and get back to the list with a summary. I just peeked a NeTraMet. again - still looks neat. I looked at it last summer or fall and had decided that I really didn't want an SNMP mib hollering my traffic statistics to the world so that stealth attacks can come in more easily. But I'll look at it again... Does anyone have any benchmark data for it? Then I'll look at my isp's netflow settings on their router. :-) I've never looked hard at the security of cisco netflow. :-( Has anyone else? In similar veins, for more lightly loaded networks, you should check out ntop, and for heavier loads snort's logging. One other option is good old tcpdump or maybe logging in iptraf. I wanted to put this in the kernel to provide an almost binary bare sensor system to add just one more layer of fun and hassle for intrusion. Removable drive carriers allow export of the data to analysis stations because the sensors are so stripped as to make them virtually useless for any other function and hopefully devoid of most vulnerabilities. Kernel, sh, syslogd and a trivial filesystem should suffice. Maybe only kill, cp/mv and cron for log files.... As a matter of fact you should even be able to disable the IP stack and have it work. Call it the data motel security model and approach... :-) cheers, --dr On Tue, 15 Feb 2000, Andrzej Bialecki wrote:
On Sat, 12 Feb 2000, Dragos Ruiu wrote:How to use it: -This patch makes the kernel log all ethernet packets to syslog. -The logging happens at the default level. I.e. normally on. -You can turn logging on and off at the console by using the Magic SysRq key and a number to change the logging level. -Put the interface into promiscuous mode: ifconfig eth0 promisc Notes: -It makes a neat hotkey sniffer when using the text console too. -It seems to run pretty fast. Any benchmark data welcome(-->dr () dursec com). -try a tail -f /var/log/messages for real time displayI was wondering... Are you sure it doesn't overrun the kernel message buffer? I noticed that sometimes, when you produce tons of messages from within the kernel, some of them are lost. I would rather use package as NeTraMet for doing this - it also does very nice traffic compression in the form of flows - very fast, extremely flexible, uses standard libpcap, doesn't require kernel patching etc... Andrzej Bialecki // <abial () webgiro com> WebGiro AB, Sweden (http://www.webgiro.com) // ------------------------------------------------------------------- // ------ FreeBSD: The Power to Serve. http://www.freebsd.org -------- // --- Small & Embedded FreeBSD: http://www.freebsd.org/~picobsd/ ----
-- dursec.com / kyx.net - we're from the future http://www.dursec.com learn kanga-foo from security experts: CanSecWest - April 19-21 Vancouver Speakers: Ron Gula/NSW, Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org, RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com
Current thread:
- Infosec.20000207.axis700.a, (continued)
- Infosec.20000207.axis700.a Vitek, Ian (Feb 07)
- Re: Evil Cookies. Thomas Reinke (Feb 04)
- Re: Evil Cookies. Dylan Griffiths (Feb 07)
- 'cross site scripting' CERT advisory and MS Eric Lecht (Feb 08)
- Re: 'cross site scripting' CERT advisory and MS Dustin Miller (Feb 09)
- Re: 'cross site scripting' CERT advisory and MS David LeBlanc (Feb 10)
- Re: 'cross site scripting' CERT advisory and MS Marc Slemko (Feb 11)
- Re: 'cross site scripting' CERT advisory and MS Rishi Lee Khan (Feb 14)
- Packet Tracing (linux klog patch) Dragos Ruiu (Feb 12)
- Re: Packet Tracing (linux klog patch) Andrzej Bialecki (Feb 15)
- Re: Packet Tracing (linux klog patch) Dragos Ruiu (Feb 17)
- Re: Packet Tracing (linux klog patch) Andrzej Bialecki (Feb 17)
- crash windows boxes on your local network (twinge.c) sinkhole () NILL NET (Feb 10)
- Re: crash windows boxes on your local network (twinge.c) Elias Levy (Feb 14)
- DDOS Attack Mitigation Elias Levy (Feb 11)
- TESO - Nameserver traffic amplify and NS route discovery Sebastian (Feb 12)
- Re: DDOS Attack Mitigation Darren Reed (Feb 13)
- Re: DDOS Attack Mitigation Alan Brown (Feb 14)
- Re: DDOS Attack Mitigation Darren Reed (Feb 14)
- NetBSD Security Advisory 1999-012 Daniel Carosone (Feb 15)
- Re: DDOS Attack Mitigation Chris Cappuccio (Feb 15)