Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 5 Jan 2011 10:25:39 -0800
From:      David Brodbeck <gull@gull.us>
To:        freebsd-questions@freebsd.org
Subject:   Re: Bot?
Message-ID:  <AANLkTinOewwzjMigG_Bn0%2BZL7GzvfL7Nq_FGBHyCNbsj@mail.gmail.com>
In-Reply-To: <AANLkTi=%2B=FGeQevAnxii6m2XK7i%2B617Mt4EkQfd2Ucv0@mail.gmail.com>
References:  <4D249129.6090008@webtent.net> <4D249298.9080706@nrdx.com> <AANLkTi=%2B=FGeQevAnxii6m2XK7i%2B617Mt4EkQfd2Ucv0@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox <kevin.wilcox@gmail.com> wrote:
> On 5 January 2011 10:47, Jerry Bell <jerry@nrdx.com> wrote:
>
>> There could be reasons you
>> aren't seeing a spike, such as you're only looking at traffic processed by
>> the MTA, or it simply doesn't show as a material increase on a graph of
>> traffic on the network interface if the server is busy.
>
> Those are good points and to go a little further regarding looking at
> traffic...
>
> To really see what your machine is doing, consider taking a look at
> the network flows. pfflowd, netflowd, ipaudit and a host of others can
> get you flow data with mostly minimal overhead.

Also, keep in mind that depending on how badly the machine has been
compromised, you may not be able to trust the output of utilities
running on the machine itself.  You may have to resort to capturing
its network traffic on another machine for analysis.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinOewwzjMigG_Bn0%2BZL7GzvfL7Nq_FGBHyCNbsj>