I would opt to leave the functionality for the 3.0 version as is. Let
get it out and then we can address some of the suggetion as part of a
follow on release. since they appear to be fairly minor I would expect
this release not take a long time.
I think this is a good opportunity to thank all you beta testers. you
are identifying issues (and future features) which helps tremendously
in getting capture 3.0 released (and good features for future
releases) keep it up and pls file the tickets on our trac system, so
they don't get lost....thx
Christian
On Nov 18, 2009, at 4:14 PM, Ramon Steenson <rsteen...@gmail.com> wrote:
Hey Steve,
Thanks for the test. Yes it is possible to store the local address,
we already do ... its just not exposed to the exclusion lists. I
will have a talk to Christian regards this.
In the underlying kernel driver it already tracks the tcp connection
state. It works but there is a few *nasty* bugs which I've been
trying to work on for the past week. We can certainly expose this
state once its properly working. Once again I will have to have a
chat to Christian to see if he wants this.
Cheers,
Ramon.
On Thu, Nov 19, 2009 at 11:46 AM, Steve Taylor <steve.tay...@securecommand.com
> wrote:
Hey,
I've been testing the connection monitor and have a few questions
regarding possible enhancements. The first thing I was wondering is
if you can store the local address as well as the remote address.
So for example if you type "netstat -a" in the command prompt you'll
see local endpoints and their corresponding remote endpoint. This
is important information which ports are communicating locally, and
possibly if there's port-scanning going on. This might be a good
way to fill in that "-1" slot in the log.
Another good enhancement would be to log the explicit state of the
connection from the tcp tables. So for example instead of "tcp-
connection" or "tcp-listening", you could have action states like
"Established", "Listening", "Close Wait", etc. The event type would
be "connection-tcp" or "connection-udp" instead of "connection".
This way you could log more details about the connection while
keeping the same amount of slots in the log.
Thoughts?
-Steve
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
_______________________________________________
Capture-HPC mailing list
Capture-HPC@public.honeynet.org
https://public.honeynet.org/mailman/listinfo/capture-hpc
