From owner-freebsd-questions@FreeBSD.ORG  Wed Jan  5 18:44:59 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 09161106564A
	for <freebsd-questions@freebsd.org>;
	Wed,  5 Jan 2011 18:44:59 +0000 (UTC)
	(envelope-from kevin.wilcox@gmail.com)
Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com
	[209.85.161.182])
	by mx1.freebsd.org (Postfix) with ESMTP id B74778FC0C
	for <freebsd-questions@freebsd.org>;
	Wed,  5 Jan 2011 18:44:58 +0000 (UTC)
Received: by gxk8 with SMTP id 8so6494090gxk.13
	for <freebsd-questions@freebsd.org>;
	Wed, 05 Jan 2011 10:44:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:received:in-reply-to
	:references:date:message-id:subject:from:to:cc:content-type
	:content-transfer-encoding;
	bh=9euFTRWtTZIIbMJpIPSsXg2jlyosZXG/PxtNwD70QUU=;
	b=h6JxmmJH9dGkd2UySluCdMFWOyYVwtqfohbupzeA8xJJgCS/B4OFrkjgx83qYN13E4
	9tWiFfpBz03jPVOKyzT6z0RE2TsXtC6WwcoO/9xai8RG3SqcCBncEVZMg4ELvhowMjEV
	Rnv76G6g9fytFwGiXY9sPko8yrUqnxJbSEDBM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:content-transfer-encoding;
	b=xP3U9cdjOOvz8peWsYRqQ/LDUKj72ipEnk6kCVFlkwXME1N44ZdmBLkIoZMC8AfglB
	NXlimBmZOZPrsSYoibJrIpcNQffwSbcYzE/SOln98SqcRkkV4JDsMY59IA8nlYF0AFoy
	C78p3MacT7jSZltu3L5JzfZGmZXp3hGjOVxIw=
MIME-Version: 1.0
Received: by 10.90.63.1 with SMTP id l1mr1033127aga.87.1294253097740; Wed, 05
	Jan 2011 10:44:57 -0800 (PST)
Received: by 10.90.73.20 with HTTP; Wed, 5 Jan 2011 10:44:57 -0800 (PST)
In-Reply-To: <AANLkTinOewwzjMigG_Bn0+ZL7GzvfL7Nq_FGBHyCNbsj@mail.gmail.com>
References: <4D249129.6090008@webtent.net> <4D249298.9080706@nrdx.com>
	<AANLkTi=+=FGeQevAnxii6m2XK7i+617Mt4EkQfd2Ucv0@mail.gmail.com>
	<AANLkTinOewwzjMigG_Bn0+ZL7GzvfL7Nq_FGBHyCNbsj@mail.gmail.com>
Date: Wed, 5 Jan 2011 13:44:57 -0500
Message-ID: <AANLkTimQy3H5HHGBGqd9JET22GH0ygWOh8DBta310SpY@mail.gmail.com>
From: Kevin Wilcox <kevin.wilcox@gmail.com>
To: David Brodbeck <gull@gull.us>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-questions@freebsd.org
Subject: Re: Bot?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jan 2011 18:44:59 -0000

On 5 January 2011 13:25, David Brodbeck <gull@gull.us> wrote:

> On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox <kevin.wilcox@gmail.com> wro=
te:

>> To really see what your machine is doing, consider taking a look at
>> the network flows. pfflowd, netflowd, ipaudit and a host of others can
>> get you flow data with mostly minimal overhead.

> Also, keep in mind that depending on how badly the machine has been
> compromised, you may not be able to trust the output of utilities
> running on the machine itself. =C2=A0You may have to resort to capturing
> its network traffic on another machine for analysis.

That's an excellent point. A span port from the upstream switch/router
would be ideal unless you've verified, through mechanisms external to
the machine (known good test media), the tools on that machine are
trustworthy.

kmw