Date: Thu, 13 Feb 1997 23:08:55 +0100 From: j@uriah.heep.sax.de (J Wunsch) To: cmott@srv.net (Charles Mott) Cc: freebsd-chat@freebsd.org Subject: Re: Security Monitoring Message-ID: <Mutt.19970213230855.j@uriah.heep.sax.de> In-Reply-To: <Pine.BSF.3.91.970213142645.6299B-100000@darkstar>; from Charles Mott on Feb 13, 1997 14:34:35 -0700 References: <Pine.BSF.3.91.970213142645.6299B-100000@darkstar>
next in thread | previous in thread | raw e-mail | index | archive | help
As Charles Mott wrote: > Are there any programs that use the bpf device to log addresses and make > a summary? I guess that I would be interested in two levels of summary: > (1) all tcp/udp connections, which would be very long, and (2) summary of > outside addresses for incoming and outgoing connections on a given day. Not that i know of. However, i'm using tcpdump successfully for such purposes myself. I usually run a Perl script over it nightly, this gives me something like a ``live firewalling'' that proved to be very useful in the past. (It often detects even slight anomalities.) I also archive the logs for later perusal for quite some time, so i can review them if the summary script yielded some sign of weirdness. Btw., the `gateway' keyword comes useful for it. It allows restricting the monitored traffic to gatewayed traffic (IP traffic that goes to/from an particular ethernet address but is not destined for the associated IP address). -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Mutt.19970213230855.j>