Hey,
I've been testing the connection monitor and have a few questions
regarding possible enhancements. The first thing I was wondering is if
you can store the local address as well as the remote address. So for
example if you type "netstat -a" in the command prompt you'll see local
endpoints and their corresponding remote endpoint. This is important
information which ports are communicating locally, and possibly if
there's port-scanning going on. This might be a good way to fill in
that "-1" slot in the log.
Another good enhancement would be to log the explicit state of the
connection from the tcp tables. So for example instead of
"tcp-connection" or "tcp-listening", you could have action states like
"Established", "Listening", "Close Wait", etc. The event type would be
"connection-tcp" or "connection-udp" instead of "connection". This way
you could log more details about the connection while keeping the same
amount of slots in the log.
Thoughts?
-Steve
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc