RE: Open Source Port Tracking

["Loomis, Rip" <GILBERT.R.LOOMIS () saic com>]

> > I've been trying ntop, but it doesn't track all ports.
> > I know IPFilter has a count option, but it would be
> > tedious to set up 65,535x2 rules for all TCP/UDP ports.  
> > Could someone recommend something else?
>
> There's an ancient tool called nnstat that does what you're
> looking for; I don't know if it runs on newer UNIXes - it's
> kind of crufty but it's real good for producing network
> statistics based on packet level stuff.  A lot of the concepts
> of the first version Network Flight Recorder were extensions
> and improvements on the ideas in nnstat.

See also iptraf + rrdtool -- I had just happened upon
  http://www.taedium.net/rrd-iptraf/
and it looks as though it will do what I think you want
as well.  I haven't implemented it yet, but I'll be trying
to in the very near future as a supplement to IDSs here.
It will also require some configuration, so it isn't a perfect
fit for what you want.  But just think: Ooh, shiny!  Neat pointy
clicky graphs!

Just for completeness and since I was interested in the topic,
I found a copy of the last unofficial beta of NNstat (3.3b)
and it looks as though it might be non-trivial to get it working
on current operating systems--and I have no interest in running
IRIX 5 or SunOS 4 on a security-critical node.  Actually, it
might be simpler to just re-implement it against libpcap.  If
anyone's done either (get NNstat working on current OSs, or
re-implement the concept with libpcap) I'd love to know more.

Or you could just buy an NFR license...

--
Rip Loomis
Senior Systems Security Engineer, SAIC Enterprise Security Solutions
Brainbench MVP for Internet Security | http://www.brainbench.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards