Firewall Wizards mailing list archives
Re: Recording slow scans
From: Darren Reed <darrenr () reed wattle id au>
Date: Thu, 22 Oct 1998 21:10:52 +1000 (EST)
In some email I received from Stephen P. Berry, sie wrote:
-----BEGIN PGP SIGNED MESSAGE-----Darren Reed <darrenr () reed wattle id au> wrote:How many times do people need to reinvent the wheel ?Until there's a GPL'd wheel out there that I happen to like. Because sometimes all I want is the wheel, and most vendors are car salesmen.Well, why don't you write one for us ? I'm sure we'd all appreciate your time and effort spent on such a project.I did code up the changes I mentioned previously (twiddling libpcap(3) and tcpdump(8) to accept multiple filters and output the results to multiple files). When I have a few more spare cycles, I'll document the changes and submit them to the libpcap/tcpdump maintainers. I have no idea how receptive said maintainers are to unsolicited changes, so I have no idea whether or not the changes are likely to make it into future releases.
well, in the mean time, why don't you make the patches available to the rest of us anyway ? I'm sure others would like to use/abuse/hack on them to make them better.
Anyway, this twiddle and a couple like it really clear up the bottleneck in first-order filtering---the major bottleneck which seems to be characteristic of most tcpdump-based IDSen.
Yup.
But the reason why I'm mentioning all this here is to point out that with comparatively minor coding one can produce fairly usable tools with materials which are already freely available.
For some definition of "usable". I still find it intriguing that "0 packets lost" is different on each of NFR/tcpdump/lananalyzer. [...]
Unless we're talking at cross purposes, I'm pretty sure there's a bottleneck in the database. If one is interested in analysing data over fairly long periods of time (in terms of months rather than hours, say), even reasonably narrow pipes are going to be producing enough data to bog down most analysis engines.
Bah, that's not a "bottleneck", as such. That's just a matter of sizing your data to be analyzed correctly with a machine to analyze it.
One alternative might be to (say) have a box with 5 ethernet ports on it, 1 being the data "tap" and the other 4 for syhponing data off to boxes for processing. For example, you might have one box dedicated to doing TCP processing, another for UDP, another for ICMP/IGMP and another for the remainder.I've considered something similar, but discarded the idea. When I'm doing long-term analysis, I'm very interested in correlations.
The first problem is data collection. Nothing stopping you doing that once you have the data.
Current thread:
- Re: Recording slow scans, (continued)
- Re: Recording slow scans Chuck Benson (Oct 14)
- ifconfig down (was Re: Recording slow scans Rob Quinn (Oct 09)
- Re: ifconfig down (was Re: Recording slow scans Doug Hughes (Oct 13)
- Re: ifconfig down (was Re: Recording slow scans Henry Hertz Hobbit (Oct 13)
- Re: ifconfig down (was Re: Recording slow scans Radovan Semancik (Oct 14)
- Re: Recording slow scans Vern Paxson (Oct 07)
- Re: Recording slow scans Marcus J. Ranum (Oct 07)
- Re: Recording slow scans Stephen P. Berry (Oct 13)
- Re: Recording slow scans Darren Reed (Oct 14)
- Re: Recording slow scans Stephen P. Berry (Oct 23)
- Re: Recording slow scans Darren Reed (Oct 23)
- Re: Recording slow scans Darren Reed (Oct 14)
- Re: Recording slow scans Donald Martin (Oct 14)
- Re: Recording slow scans Darren Reed (Oct 16)
- Re: Recording slow scans Eric Budke (Oct 16)
- Re: Recording slow scans Matt Curtin (Oct 16)
- Re: Recording slow scans Darren Reed (Oct 16)
- Re: Recording slow scans ark (Oct 19)
- Re: Recording slow scans Vern Paxson (Oct 28)