Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Packet Tracing (linux klog patch)

From: dr () DURSEC COM (Dragos Ruiu)
Date: Thu, 17 Feb 2000 02:17:22 -0800

In a word.. no I'm not sure because I haven't seen
it here. That is not an indication that it isn't necessarily there.
Of course I'm testing using an smp machine that isn't
doint anything else but that sooo it may not be a valid test.
I'll ask you about more symptoms of that off line and get
back to the list with a summary.

I just peeked a NeTraMet. again - still looks neat. I looked
at it last summer or fall and had decided that I really didn't
want an SNMP mib hollering my traffic statistics to the world
so that stealth attacks can come in more easily. But I'll look
at it again... Does anyone have any benchmark data for it?
Then I'll look at my isp's netflow settings on their router. :-)
I've never looked hard at the security of cisco netflow. :-(
Has anyone else?

In similar veins, for more lightly loaded networks, you should
check out ntop, and for heavier loads snort's logging. One
other option is good old tcpdump or maybe logging in iptraf.
I wanted to put this in the kernel to provide an almost binary
bare sensor system to add just one more layer of fun and
hassle for intrusion.

Removable drive carriers allow export of the data to analysis
stations because the sensors are so stripped as to make them virtually
useless for any other function and hopefully devoid of most
vulnerabilities. Kernel, sh, syslogd and a trivial filesystem should
suffice. Maybe only kill, cp/mv and cron for log files....
As a matter of fact you should even be able to disable
the IP stack and have it work. Call it the data motel
security model and approach... :-)

cheers,
--dr

On Tue, 15 Feb 2000, Andrzej Bialecki wrote:

On Sat, 12 Feb 2000, Dragos Ruiu wrote:


How to use it:
-This patch makes the kernel log all ethernet packets to syslog.
-The logging happens at the default level.  I.e. normally on.
-You can turn logging on and off at the console by using the Magic SysRq key
 and a number to change the logging level.
-Put the interface into promiscuous mode: ifconfig eth0 promisc

Notes:
-It makes a neat hotkey sniffer when using the text console too.
-It seems to run pretty fast. Any benchmark data welcome(-->dr () dursec com).
-try a tail -f /var/log/messages for real time display


I was wondering... Are you sure it doesn't overrun the kernel message
buffer? I noticed that sometimes, when you produce tons of messages from
within the kernel, some of them are lost.

I would rather use package as NeTraMet for doing this - it also does very
nice traffic compression in the form of flows - very fast, extremely
flexible, uses standard libpcap, doesn't require kernel patching etc...

Andrzej Bialecki

//  <abial () webgiro com> WebGiro AB, Sweden (http://www.webgiro.com)
// -------------------------------------------------------------------
// ------ FreeBSD: The Power to Serve. http://www.freebsd.org --------
// --- Small & Embedded FreeBSD: http://www.freebsd.org/~picobsd/ ----


--
dursec.com / kyx.net - we're from the future                      http://www.dursec.com
learn kanga-foo from security experts: CanSecWest - April 19-21 Vancouver

Speakers: Ron Gula/NSW, Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org,
          RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com
Previous By Date Next
Previous By Thread Next

Current thread: