[unisog] registering servers
reggers at ist.uwaterloo.ca
Fri Jul 28 13:42:09 GMT 2006
wrt. figuring out where your servers are...
We have Cisco routers and archive flowdata as many others do with flow-tools
from splintered.net -- I gather this is similar to the argus system Peter
mentioned. I had assumed the information about TCP flow direction (to
identify the server side of a TCP) was already there already ... but it
isn't obvious to me. I can figure out from the start time information on a
pair of related flows I can determine who called who but that seems to be an
awkward way of getting the information.
Are there any netflow gurus out there who know some better tricks?
PS. We have a snort tap and this rule will ring on a server responding with
alert tcp $HOME_NET any -> any any (msg: "BLEEDING-UW Server Syn/Ack";
flags:SA; sid:99990026; rev:1;)
But that will generate a ton of alerts -- you probably don't want to use it!
More information about the unisog