Re: chargen is the new DDoS tool?
On Tue, Jun 11, 2013 at 8:39 AM, Bernhard Schmidt be...@birkenwald.dewrote: we have been getting reports lately about unsecured UDP chargen servers in our network being abused for reflection attacks with spoofed sources Anyone else seeing that? Anyone who can think of a legitimate use of chargen/udp these days? Fortunately I can't, so we're going to drop 19/udp at the border within the next hours. FWIW, last August we noticed 2.5Gbps of chargen being reflected off ~160 IPs (with large responses in violation of the RFC). As I recall, some quick investigation indicated it was mostly printers. I notified several of the worst offenders (rated by bandwidth). While I think it's silly to be exposing chargen to the world (especially as a default service in a printer!), the real problem here is networks that allow spoofed traffic onto the public internet. In the rare cases we see spoofed traffic I put special effort into tracing them to their source, and then following up to educate those providers about egress filtering. I'd appreciate it if others did the same. Damian
Re: chargen is the new DDoS tool?
This is basically untrue. I can deal with a good rant as long as there's some value in it. As it is (I'm sorta sorry) I picked this apart. On Jun 12, 2013 12:04 AM, Ricky Beam jfb...@gmail.com wrote: On Tue, 11 Jun 2013 22:55:12 -0400, valdis.kletni...@vt.edu wrote: But seriously, how do you measure one's security? Banks and insurance companies supposedly have some interesting actuarial data on this. The scope is constantly changing. Not really. The old tricks are the best tricks. And when a default install of Windows still allows you to request old NTLM authentication and most people don't think twice about this, there's a problem. While there are companies one can pay to do this, those reports are *very* rarely published. It seems you are referring to two things - exploit writing vs pen testing. While I hate saying this, there are automated tools that could clean up most networks for a few K (they can also take down things if you aren't careful so I'm not saying spend 2k and forget about it). Basically, not everyone needs to pay for a professional test out of the gate - fix the easily found stuff and then consider next steps. As for exploit writing, you can pay for this and have an 0day for between $10 and $50k (AFAIK - not what I do with my time / money) but while you've got stuff with known issues on the net that any scanner can find, thinking someone is going to think about using an 0day to break into your stuff is a comical wet dream. And I've not heard of a single edu performing such an audit. And you won't. I'm not going to tell you about past problems with my stuff because even after I think I've fixed everything, maybe I missed something that you can now easily find with the information I've disclosed. There are information sharing agreements between entities generally in the same industry (maybe even some group like this for edu?). But this will help with source and signatures, if your network is like a sieve, fix that first :) The only statistics we have to run with are of *known* breaches. As I indicated above, 0days are expensive and no one is going to waste one on you. Put another way, if someone does, go home proud - you're in with the big boys (military, power plants, spy agencies) someone paid top dollar for your stuff because you had everything else closed. And that's a very bad metric as a company with no security at all that's had no (reported) intrusions appears to have very good security, while a company with extensive security looks very bad after a few breaches. I'll take that metric any day :) Most companies only release a break in if they leak customer data. The only recent example I can think of where this wasn't true was the Canadian company that develops SCATA software disclosing that China stole their stuff. Second, if you look at the stocks of public companies that were hacked a year later, they're always up. The exception to this is HBGary who pissed of anonymous and are no longer in business (they had shady practices that were disclosed by the hack - don't do this). One has noone sniffing around at all, while the other has teams going at it with pick-axes. If you have no one sniffing around, you've got issues. One likely has noone in charge of security, while the other has an entire security department. Whether you have a CSO in name or not might not matter. Depending on the size of the organization (and politics), a CTO that understands security can do just as much.
Re: chargen is the new DDoS tool?
On 6/12/13, shawn wilson ag4ve...@gmail.com wrote: This is basically untrue. I can deal with a good rant as long as there's some value in it. As it is (I'm sorta sorry) I picked this apart. On Jun 12, 2013 12:04 AM, Ricky Beam jfb...@gmail.com wrote: On Tue, 11 Jun 2013 22:55:12 -0400, valdis.kletni...@vt.edu wrote: But seriously, how do you measure one's security? Banks and insurance companies supposedly have some interesting actuarial data on this. The scope is constantly changing. Not really. The old tricks are the best tricks. And when a default install By best, you must mean effective against the greatest number of targets. of Windows still allows you to request old NTLM authentication and most people don't think twice about this, there's a problem. Backwards compatibility and protocol downgrade-ability is a PITA. It seems you are referring to two things - exploit writing vs pen testing. While I hate saying this, there are automated tools that could clean up most networks for a few K (they can also take down things if you aren't careful so I'm not saying spend 2k and forget about it). Basically, not For the orgs that the 2K tool is likely to be most useful for, $2k is a lot of cash. The scan tools that are really worth the trouble start around 5K, and people don't like making much investment in security products, until they know they have a known breach on their hands.Many are likely to forego both, purchase the cheapest firewall appliance they can find, that claims to have antivirus functionality, maybe some stateful TCP filtering, and Web policy enforcement to restrict surfing activity;and feel safe, the firewall protects us, no other security planning or products or services req'd. As I indicated above, 0days are expensive and no one is going to waste one on you. Put another way, if someone does, go home proud - you're in with [snip] I would call this wishful thinking; 0days are expensive, so the people who want to use them, will want to get the most value they can get out of the 0day, before the bug gets fixed. That means both small numbers of high value targets, and, then... large numbers of lesser value targets. If you have a computer connected to the internet, some bandwidth, and a web browser or e-mail address, you are a probable target. If a 0day is used against you, it's most likely to be used against your web browser visiting a trusted site you normally visit. The baddies can help protect their investment in 0day exploit code, by making sure that by the time you detect it, the exploit code is long gone, so the infection vector will be unknown. -- -JH
Re: chargen is the new DDoS tool?
On Wed, Jun 12, 2013 at 4:51 AM, Jimmy Hess mysi...@gmail.com wrote: On 6/12/13, shawn wilson ag4ve...@gmail.com wrote: The scope is constantly changing. Not really. The old tricks are the best tricks. And when a default install By best, you must mean effective against the greatest number of targets. By best, I mean effective - end of story. of Windows still allows you to request old NTLM authentication and most people don't think twice about this, there's a problem. Backwards compatibility and protocol downgrade-ability is a PITA. Yes, telling people that NT/2k can't be on your network might be a PITA, but not using software or hardware that has gone EOL is sometimes just a sensible business practice. It seems you are referring to two things - exploit writing vs pen testing. While I hate saying this, there are automated tools that could clean up most networks for a few K (they can also take down things if you aren't careful so I'm not saying spend 2k and forget about it). Basically, not For the orgs that the 2K tool is likely to be most useful for, $2k is a lot of cash. The scan tools that are really worth the trouble start around 5K, and people don't like making much investment in security products, until they know they have a known breach on their hands.Many are likely to forego both, purchase the cheapest firewall appliance they can find, that claims to have antivirus functionality, maybe some stateful TCP filtering, and Web policy enforcement to restrict surfing activity;and feel safe, the firewall protects us, no other security planning or products or services req'd. I don't really care to price stuff so I might be a little off here (most of this stuff has free components). Nessus starts at around $1k, Armitage is about the same (but no auto-pown, darn), Metasploit Pro is a few grand. My point being, you can have a decent scanner (Nessus) catching the really bad stuff for not much money (I dislike this line of thought, but if you aren't knowledgeable to use tools and just want a report for a grand, there you go). As I indicated above, 0days are expensive and no one is going to waste one on you. Put another way, if someone does, go home proud - you're in with [snip] I would call this wishful thinking; 0days are expensive, so the people who want to use them, will want to get the most value they can get out of the 0day, before the bug gets fixed. Odays are expensive, so when you see them, someone (Google, Firefox, Adobe, etc) have generally paid for them. Once you see them, they are not odays (dispite what people like to call recently disclosed public vulns - it ain't an 0day). That means both small numbers of high value targets, and, then... large numbers of lesser value targets. If you have a computer connected to the internet, some bandwidth, and a web browser or e-mail address, you are a probable target. No, this means Stuxnet, Doqu, Flame. This means, I spent a million on people pounding on stuff for a year, I'm going to take out a nuclear facility or go after Google or RSA. I want things more valuable than your student's social security numbers. If a 0day is used against you, it's most likely to be used against your web browser visiting a trusted site you normally visit. I don't have anything to back this up off hand, but my gut tells me that most drive by web site malware isn't that well thought out. The baddies can help protect their investment in 0day exploit code, by making sure that by the time you detect it, the exploit code is long gone, so the infection vector will be unknown. If the US government can't prevent companies from analyzing their work, do you really think random baddies can? Seriously?... No really, seriously? Here's the point, once you use an Oday, it is not an 0day. It's burnt. It might still work on some people, but chances are all your high value targets know about it and it won't work on them.
Re: chargen is the new DDoS tool?
Do you have any actual evidence that a .edu of (say) 2K employees is statistically *measurably* less secure than a .com of 2K employees? We're sorta lookin' at one now. But seriously, how do you measure one's security? In ounces, unless it's a European university, in which case you use liters. Older systems of measuring security involving mass (pounds and kilos) have been deprecated, and you should not be using them anymore in serious evaluations, although some older CSOs will insist. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms
Re: chargen is the new DDoS tool?
On 6/12/13, Joel M Snyder joel.sny...@opus1.com wrote: But seriously, how do you measure one's security? In ounces, unless it's a European university, in which case you use liters. Older systems of measuring security involving mass (pounds and kilos) have been deprecated, and you should not be using them anymore in You need to count the number of employees/users, information assets, applications, systems, IP addresses on your network, and network ports on your switch, processes running on all your machines, files stored on your servers; and place them in the disjoint non-overlapping categories. Then decide a 'weight' for each object, 'impact'; for example, the cost of formatting and reinstalling a server, buying new hardware if a device has been bricked; or the cost of re-creating work from scratch, or settling the lawsuit if your environment's security failure allows this particular file's content to be disclosed, lost, corrupted, or made temporarily unavailable due to a DoS. The weight should be the greatest possible cost of breach, or misbehavior of that object, be that an application, OS, user, switchport, or MAC address, but Users, Applications, Servers, Workstations, Network Devices, and Documents directories are some useful categories to use. Then assign a probability of each object, based on the expectation of a breach, given the series of expected attacks over a period of time. Then for each category, take a ratio of the sums of all objects for each category Sum of ( ( 1 minus Probability that an attack succeeds ) X ( Weight ) ) Divided by (Sum of the Weights) Example, I have 5 Windows XP servers on my network, which cost me $100 to recover and replace from attack, for the period of time of 1 year, no firewall, RDP open to the world; so there is a 90% chance estimated that an attacker will eventually find the vulnerability on average over the series of attacks I expect to find in one year, except on one system I patched, so there is a 40% chance. (0.6 * $100 + 0.1 * $100 + 0.1 * $100 + ) divided by $500 Then when faced with the complete series of attacks, I expect to lose $400 out of $500; so my OS category is 10% secure for the year, in that case. Your percentage security is the _lowest_, _least desirable_, or _worst_ metric over all the distinct categories you cared about. jms -- -JH
Re: chargen is the new DDoS tool?
I'm going to bypass the academic vs. non-academic security argument because I've worked everywhere, and from a security viewpoint, there is plenty of fail to go around. On Tue, Jun 11, 2013 at 09:37:04PM -0400, Ricky Beam wrote: I run a default deny policy... if nothing asked for it, it doesn't get in. This is a fine thing and good thing. But as you've expressed it here, it's incomplete, because of that last clause: it doesn't get in. For default-deny to be effective, it has to be bidirectional. Please don't tell me it can't be done. I've done it. Repeatedly. It's a LOT of work. (Although progess in toolsets keeps making it easier.) But it's also essential, since your responsibility is not just to defend your operation from the Internet, but to defend the Internet from your operation. ---rsk
Re: chargen is the new DDoS tool?
On Wed, Jun 12, 2013 at 11:17 AM, shawn wilson ag4ve...@gmail.com wrote: Banks and insurance companies supposedly have some interesting actuarial data on this. Do you know of any publicly available sources? thanks, aaron
Re: chargen is the new DDoS tool?
I thought the modern measure was hours and dollars wasted... Err I mean spent. Nick On Jun 12, 2013 5:21 AM, Joel M Snyder joel.sny...@opus1.com wrote: Do you have any actual evidence that a .edu of (say) 2K employees is statistically *measurably* less secure than a .com of 2K employees? We're sorta lookin' at one now. But seriously, how do you measure one's security? In ounces, unless it's a European university, in which case you use liters. Older systems of measuring security involving mass (pounds and kilos) have been deprecated, and you should not be using them anymore in serious evaluations, although some older CSOs will insist. jms -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 j...@opus1.comhttp://www.opus1.com/jms
Re: chargen is the new DDoS tool?
On Wed, Jun 12, 2013 at 7:14 AM, Aaron Glenn aaron.gl...@gmail.com wrote: On Wed, Jun 12, 2013 at 11:17 AM, shawn wilson ag4ve...@gmail.com wrote: Banks and insurance companies supposedly have some interesting actuarial data on this. Do you know of any publicly available sources? I don't. There's a US entity that represents credit card companies that has their own type of Verizon Data Breach Investigations Report where you might find some iinfo of this type. You might also look at how/if AlienVault and others rank threats which should give you the how hard is this hack and how hard is this to fix figure. The theory behind generating this type of actuarial data should be more available than it is. I have a feeling that companies who have this information look at entities in the same type of business and make educated guesses on how breaches affected their bottom line based on stock vaule and the like. There is probably some private data sharing here as well.
Re: chargen is the new DDoS tool?
Getting back to the topic. I just saw quite a few of our hosts scanned for this by 192.111.155.106 which doesn't say much on its own as http://dacentec.com/ is a hosting company. On Tue, Jun 11, 2013 at 11:27 PM, Ricky Beam jfb...@gmail.com wrote: On Tue, 11 Jun 2013 22:52:52 -0400, Jimmy Hess mysi...@gmail.com wrote: Who really has a solid motive to make them stop working (other than a printer manufacturer who wants to sell them more) ? Duh, so people cannot print to them. (amungst various other creative pranks) From a cybercriminal pov, to swipe the things you're printing... like that CC authorization form you just printed, or a confidential contract, etc. (also, in many offices, the printer is also the scanner and fax) --Ricky
How ISP's in ARIN region create automatic prefix-filters?
Hi, as I understand, ARIN whois database does not contain route objects, which are used for example in RIPE region for automatic BGP prefix filter generation. How does this work in ARIN region? I know that at least some ISP's operating in ARIN region use their own whois databases(for example rr.level3.net) which mirror content from other RIR databases, but are there other methods how they update their internal databases with records? regards, Martin
Re: How ISP's in ARIN region create automatic prefix-filters?
On 2013-06-12, at 13:38, Martin T m4rtn...@gmail.com wrote: as I understand, ARIN whois database does not contain route objects, which are used for example in RIPE region for automatic BGP prefix filter generation. whois.arin.net:43 is for assignment/allocation information. Does not use RPSL. rr.arin.net:43 is a routing registry that uses RPSL. How does this work in ARIN region? I know that at least some ISP's operating in ARIN region use their own whois databases(for example rr.level3.net) which mirror content from other RIR databases, but are there other methods how they update their internal databases with records? My general advice for anybody who cares to listen is to use the RIPE db for your objects if you are based in the ARIN region. It saves time if/when you come to peer with an organisation based in the RIPE region, and it makes your objects easy to find for anybody who wants to look for them. You can install a route in the RIPE db corresponding to number resources assigned elsewhere by authenticating against the RIPE-NCC-RPSL-MNT maintainer object, for which the plain-text password is RPSL. Since your new route object will specify mnt-by MAINT-YOURS you will also need to authenticate against that (my favourite method is PGP). Joe mntner: RIPE-NCC-RPSL-MNT descr: This maintainer may be used to create objects to represent descr: routing policy in the RIPE Database for number resources not descr: allocated or assigned from the RIPE NCC. admin-c:RD132-RIPE auth: MD5-PW # Filtered remarks:*** remarks:* The password for this object is 'RPSL', without the * remarks:* quotes. Do NOT use this maintainer as 'mnt-by'. * remarks:*** mnt-by: RIPE-DBM-MNT referral-by:RIPE-DBM-MNT source: RIPE # Filtered
Re: chargen is the new DDoS tool?
On Tue, 11 Jun 2013 19:52:02 -0400 Ricky Beam jfb...@gmail.com wrote: All of the above plus very poorly managed network / network security. (sadly a Given(tm) for anything ending dot-e-d-u.) That broad sweeping characterization, without any evidence, can be as casually dismissed without evidence. However, I will go on record, as I'm sure many others will as well, but in my experience the .edu community, particularly the medium to larger schools who have dedicated IT staff, are often amongst the best managed networks, with regards to security or otherwise. If there is any issue with that sector, you should contact the REN-ISAC, one of the most well executed security constituent groups I've ever seen. They tirelessly reach out and assist on most any educational related incident. John
Re: Prism continued
Let's see: Requires always-on internet connection Only available with Kinect Includes infrared sensor Manufactured by Microsoft, the first company to sign up for Prism When can I get my Xbox One?? http://www.nbcnews.com/technology/new-kinect-can-track-you-so-well-you-may- not-6C10287970 On 6/9/13 12:26 PM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suppose this system was part of the 20MM as well? http://gizmodo.com/meet-boundless-informant-the-nsa-tool-that-watches-the- 512107983 Sent from my Mobile Device.
Re: Prism continued
There is no way they could of paid for all the Splunk licencing costs which the budget quoted before On 9 June 2013 18:42, Daniel Rohan dro...@gmail.com wrote: Anyone else notice that the Boundless Informant GUI looks suspiciously like the Splunk GUI? And according to the article, it sounds like it does exactly what Splunk is capable of, albeit on a grander scale than I thought possible. dgr On Jun 9, 2013 9:29 AM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suppose this system was part of the 20MM as well? http://gizmodo.com/meet-boundless-informant-the-nsa-tool-that-watches-the-512107983 Sent from my Mobile Device. -- BaconZombie LOAD *,8,1
Re: Prism continued
Speaking of Splunk; is that really the tool of choice? On Wed, Jun 12, 2013 at 5:46 PM, Bacon Zombie baconzom...@gmail.com wrote: There is no way they could of paid for all the Splunk licencing costs which the budget quoted before On 9 June 2013 18:42, Daniel Rohan dro...@gmail.com wrote: Anyone else notice that the Boundless Informant GUI looks suspiciously like the Splunk GUI? And according to the article, it sounds like it does exactly what Splunk is capable of, albeit on a grander scale than I thought possible. dgr On Jun 9, 2013 9:29 AM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suppose this system was part of the 20MM as well? http://gizmodo.com/meet-boundless-informant-the-nsa-tool-that-watches-the-512107983 Sent from my Mobile Device. -- BaconZombie LOAD *,8,1 -- Phil Fagan Denver, CO 970-480-7618
Re: Prism continued
It would make sense. It's a friggin' sick syslog analyzer. Expensive as hell, but awesome. On Wed, Jun 12, 2013 at 4:55 PM, Phil Fagan philfa...@gmail.com wrote: Speaking of Splunk; is that really the tool of choice? On Wed, Jun 12, 2013 at 5:46 PM, Bacon Zombie baconzom...@gmail.com wrote: There is no way they could of paid for all the Splunk licencing costs which the budget quoted before On 9 June 2013 18:42, Daniel Rohan dro...@gmail.com wrote: Anyone else notice that the Boundless Informant GUI looks suspiciously like the Splunk GUI? And according to the article, it sounds like it does exactly what Splunk is capable of, albeit on a grander scale than I thought possible. dgr On Jun 9, 2013 9:29 AM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suppose this system was part of the 20MM as well? http://gizmodo.com/meet-boundless-informant-the-nsa-tool-that-watches-the-512107983 Sent from my Mobile Device. -- BaconZombie LOAD *,8,1 -- Phil Fagan Denver, CO 970-480-7618 -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Re: Prism continued
On 6/12/2013 7:59 PM, Mike Hale wrote: It would make sense. It's a friggin' sick syslog analyzer. Expensive as hell, but awesome. Compare it to most any other SIEM (ArcSight?) and it's a bargain. But still, yeah. Jeff
Re: Prism continued
--- eyeronic.des...@gmail.com wrote: From: Mike Hale eyeronic.des...@gmail.com Splunk It would make sense. It's a friggin' sick syslog analyzer. Expensive as hell, but awesome. -- So is tail -f /var/log/router.log | egrep -v 'term1|term2|term3' or cat /var/log/router.log | egrep -v 'term1|term2|term3' | less ;-) scott
Re: Prism continued
And a basic front-end and your in business!! On Jun 12, 2013 6:15 PM, Scott Weeks sur...@mauigateway.com wrote: --- eyeronic.des...@gmail.com wrote: From: Mike Hale eyeronic.des...@gmail.com Splunk It would make sense. It's a friggin' sick syslog analyzer. Expensive as hell, but awesome. -- So is tail -f /var/log/router.log | egrep -v 'term1|term2|term3' or cat /var/log/router.log | egrep -v 'term1|term2|term3' | less ;-) scott
Re: Prism continued
On 06/12/2013 05:13 PM, Scott Weeks wrote: cat /var/log/router.log | egrep -v 'term1|term2|term3' | less Prototypical useless use of cat :)
Re: Prism continued
--- do...@dougbarton.us wrote: From: Doug Barton do...@dougbarton.us On 06/12/2013 05:13 PM, Scott Weeks wrote: cat /var/log/router.log | egrep -v 'term1|term2|term3' | less Prototypical useless use of cat :) - What would you use and what's wrong with concatenation of a file with nothing? 1+0=1 ;) scott
Re: Prism continued
On Jun 12, 2013, at 9:01 PM, Scott Weeks sur...@mauigateway.com wrote: --- do...@dougbarton.us wrote: From: Doug Barton do...@dougbarton.us On 06/12/2013 05:13 PM, Scott Weeks wrote: cat /var/log/router.log | egrep -v 'term1|term2|term3' | less Prototypical useless use of cat :) - What would you use and what's wrong with concatenation of a file with nothing? 1+0=1 ;) --- Wow, a person gets corrected quickly here! ;-) And the answer is... egrep -v 'term1|term2|term3' /var/log/router.log | less All I can say is DOH! :-) scott
Re: Prism continued
On 2013-06-12, Phil Fagan philfa...@gmail.com sent: Speaking of Splunk; is that really the tool of choice? I've been hearing a lot of good things about logstash these days too, if you prefer the open source route. http://logstash.net/ -- Chip Marshall c...@2bithacker.net http://2bithacker.net/ pgpSopEO5YDs6.pgp Description: PGP signature
Re: Prism continued
On Thu, 13 Jun 2013 00:46:27 +0100, Bacon Zombie said: There is no way they could of paid for all the Splunk licencing costs which the budget quoted before That's assuming they paid full list price. Ask the ex-CEO of Qwest what happens if you try to turn down an offer the NSA makes you. :) pgpKM_XbfDq76.pgp Description: PGP signature
Re: Prism continued
On Wed, Jun 12, 2013 at 6:30 PM, valdis.kletni...@vt.edu wrote: Ask the ex-CEO of Qwest what happens if you try to turn down an offer the NSA makes you. :) +1 - ferg -- Fergie, a.k.a. Paul Ferguson fergdawgster(at)gmail.com
Re: Prism continued
Logstash and Splunk are both wonderful, in my experience. What sets them apart from just a plain grep(1) is that they build an index that points keywords to to logging events (lines). What if you're looking for events related to a specific interface or LSP? Not a problem with a modest log volume, as grep can tear through text nearly as quickly as your disk can pass it up. However, once you have a ton of historical logs, or just a large volume, grep becomes way to slow as you have to retrieve tons of unrelated log messages to check if they're what you're looking for. Having an index gives you a way to search for that interface or LSP name, and get a listing of all the locations that contain log events matching what you're looking for. In the PRISM context, I highly doubt their using Splunk for any kind of analysis beyond systems and network management. It's not good at indexing non-texty-things. What if you need to search for events that were geographically proximate to one another? That takes a special kind of index. On Wed, Jun 12, 2013 at 6:13 PM, Chip Marshall c...@2bithacker.net wrote: On 2013-06-12, Phil Fagan philfa...@gmail.com sent: Speaking of Splunk; is that really the tool of choice? I've been hearing a lot of good things about logstash these days too, if you prefer the open source route. http://logstash.net/ -- Chip Marshall c...@2bithacker.net http://2bithacker.net/
Re: Prism continued
Decent frontend... hmm... grep --color Monies please! Phil Fagan philfa...@gmail.com wrote: And a basic front-end and your in business!! On Jun 12, 2013 6:15 PM, Scott Weeks sur...@mauigateway.com wrote: --- eyeronic.des...@gmail.com wrote: From: Mike Hale eyeronic.des...@gmail.com Splunk It would make sense. It's a friggin' sick syslog analyzer. Expensive as hell, but awesome. -- So is tail -f /var/log/router.log | egrep -v 'term1|term2|term3' or cat /var/log/router.log | egrep -v 'term1|term2|term3' | less ;-) scott -- Charles Wyble char...@knownelement.com / 818 280 7059 CTO Free Network Foundation (www.thefnf.org)
Re: Prism continued
Also checkout kibana.org for a rather splunk like experience. Chip Marshall c...@2bithacker.net wrote: On 2013-06-12, Phil Fagan philfa...@gmail.com sent: Speaking of Splunk; is that really the tool of choice? I've been hearing a lot of good things about logstash these days too, if you prefer the open source route. http://logstash.net/ -- Chip Marshall c...@2bithacker.net http://2bithacker.net/ -- Charles Wyble char...@knownelement.com / 818 280 7059 CTO Free Network Foundation (www.thefnf.org)