Hey Steve, Thanks for the test. Yes it is possible to store the local address, we already do ... its just not exposed to the exclusion lists. I will have a talk to Christian regards this.
In the underlying kernel driver it already tracks the tcp connection state. It works but there is a few *nasty* bugs which I've been trying to work on for the past week. We can certainly expose this state once its properly working. Once again I will have to have a chat to Christian to see if he wants this. Cheers, Ramon. On Thu, Nov 19, 2009 at 11:46 AM, Steve Taylor < steve.tay...@securecommand.com> wrote: > Hey, > > I've been testing the connection monitor and have a few questions regarding > possible enhancements. The first thing I was wondering is if you can store > the local address as well as the remote address. So for example if you type > "netstat -a" in the command prompt you'll see local endpoints and their > corresponding remote endpoint. This is important information which ports > are communicating locally, and possibly if there's port-scanning going on. > This might be a good way to fill in that "-1" slot in the log. > > Another good enhancement would be to log the explicit state of the > connection from the tcp tables. So for example instead of "tcp-connection" > or "tcp-listening", you could have action states like "Established", > "Listening", "Close Wait", etc. The event type would be "connection-tcp" or > "connection-udp" instead of "connection". This way you could log more > details about the connection while keeping the same amount of slots in the > log. > > Thoughts? > > -Steve > > > > > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc >
_______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
