[unisog] [REN-ISAC] Alert: DNS Smurfing

Peter Van Epp vanepp at sfu.ca
Wed Dec 15 23:34:12 GMT 2004


	Sure, a brief sample report and the perl scripts that run the argus 
sensors and generate the report are available for anon ftp from ftp.sfu.ca
in /pub/unix/argus/argus.traffic.perl.tar.gz although parts of it are FreeBSD
specific (mostly in the sensor monitoring scripts that do ps commands) and it
isn't the prettiest or best code in the world :-). If you are on fast links
there is some Linux kernel ring buffer code from www.ntop.org that will let 
argus (on a 1.4 Gig athelon processor) keep up at ~950 megabits per second
on 9 K jumbo frames (when a normal 2.6 kernel dropped %50 at the interface 
level) as well. Thats running on in an experimental sensor on a cross province
grid computing link, but will move in to my production sensors in the New Year
as well.
	The argus developers list is well worth joining if you are running 
argus and if you have questions feel free to send email!

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada

On Wed, Dec 15, 2004 at 08:21:30AM -0500, Mike.Radomski at itec.suny.edu wrote:
> Peter,
> Thanks for the reply.  I had never heard of argus.  I have it installed 
> and have run some basic reports.  Can you share with me the daily reports 
> you generate?
> 
> Thanks!
> -- 
> Mike Radomski 
> 
> SUNY - ITEC 
> Information Technology Exchange Center 
> Systems Programmer/Analyst 
> E-mail: Mike.Radomski at itec.suny.edu 
> Systems E-Mail: scsys at itec.suny.edu 
> Phone: (716)878-4832 
> Cellular: (716)807-4040 
> Fax: (716)878-3485 
> 
> There are only 10 types of people... 
> Those who understand binary and those who don't. 
> 
> 
> 
> Peter Van Epp <vanepp at sfu.ca> 
> Sent by: unisog-bounces at lists.sans.org
> 12/14/04 03:04 PM
> Please respond to
> UNIversity Security Operations Group <unisog at lists.sans.org>
> 
> 
> To
> UNIversity Security Operations Group <unisog at lists.sans.org>
> cc
> 
> Subject
> Re: [unisog] [REN-ISAC] Alert: DNS Smurfing
> 
> 
> 
> 
> 
> 
>                  A number of us here (me included :-)) use argus: 
> 
> http://www.qosient.com/argus
> 
>                  Here is an article from some years ago about how I use 
> it:
> 
> http://www.usenix.org/publications/login/2001-11/pdfs/epp.pdf
> 
>                  The snort IDS system is another popular choice 
> (www.snort.org)
> 
> Peter Van Epp / Operations and Technical Support 
> Simon Fraser University, Burnaby, B.C. Canada
> 
> On Tue, Dec 14, 2004 at 02:22:06PM -0500, Mike.Radomski at itec.suny.edu 
> wrote:
> > Hello,
> > I have seen many posting in the past about "seeing" traffic and 
> intrusions 
> > on networks.  I am wondering what tools everyone is using to analyze 
> > traffic and detect intrusions, and more importantly anomalies?
> > 
> > Thanks!
> > 
> > -- 
> > Mike Radomski 
> > 
> > SUNY - ITEC 
> > Information Technology Exchange Center 
> > Systems Programmer/Analyst 
> > E-mail: Mike.Radomski at itec.suny.edu 
> > Systems E-Mail: scsys at itec.suny.edu 
> > Phone: (716)878-4832 
> > Cellular: (716)807-4040 
> > Fax: (716)878-3485 
> > 
> > There are only 10 types of people... 
> > Those who understand binary and those who don't. 
> > 
> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog
> 

> _______________________________________________
> unisog mailing list
> unisog at lists.sans.org
> http://www.dshield.org/mailman/listinfo/unisog




More information about the unisog mailing list