Hi NFSen folks,
I'm fairly new to NFSen. It's pretty awesome. Thank you Peter and Thorben!
Using our Inmon ITS server I can get a report called 'Compromised Hosts'
that basically lists hosts on our network that are connecting to a large
number of other hosts on particular port #s. Since servers on our network
shouldn't generally be connecting to hundreds of other hosts on port 22 -
that's generally a sign that the server is probably compromised in some
way. That's just one example.
The list I get nightly via email looks like this (IPs obfuscated slightly):
IP SourceDestination Port# Destinations 10.60.58.21TCP:139 (netbios-ssn)
422 10.148.72.108TCP:22 (ssh)229 10.148.120.106TCP:80 (www-http)211
10.235.160.43TCP:25 (smtp)68 10.160.22.85TCP:80 (www-http)52
10.160.41.138TCP:80
(www-http)52 10.160.24.136ICMP:3 (Destination Unreachable)52
etc...
I'd prefer to get this information from nfsen since ITS might not last much
longer for us. The licensing fees are through the roof and we have a whole
new data center with at least 3 more agents to license. The list of
destination ports and source hosts to pay attention to are pre-defined. I
suppose I could write a plugin to do this but I can't seem to wrap my head
around the plugin writing even with the plugin
guide<http://nfsen.sourceforge.net/PluginGuide/plugin-guide.html>on
sourceforge.net. The plugin guide there seems to start in the middle of a
plugin development using the demoplugin as a base. I'd love to write a
nfsen plugins actually but this guide doesn't really start at the beginning
of writing one. I may be asking some specific questions about this one day
soon though as I re-attempt it.
I'd also like some better DDoS alerting. I found a plugin called 'ddd' but
I think I don't know what filters I need to properly catch a DDoS since
there's quite a few false positives with the default filters included with
the plugin. Does anyone have any ideas on how to first come up with some
baseline numbers and then write the filters? I know what I'm doing within
reason but I get lost trying to wrap my head around all the different ways
to present the data and aggregate it.
Anyway, thanks for reading this. It's a bit of a brain dump. If anyone has
any comments or ideas about how they are doing things please let me know.
Please share with the list if possible.
--
Landon Stewart <lstew...@superb.net>
SuperbHosting.Net by Superb Internet Corp.
Toll Free (US/Canada): 888-354-6128 x 4199
Direct: 206-438-5879
Web hosting and more "Ahead of the Rest": http://www.superbhosting.net
------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Nfsen-discuss mailing list
Nfsen-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
