One of the many tools for sniffing traffic and gathering statistics is ntop. You can download it from www.ntop.org or use a package manager on your system to install it. There already are cooked packages for popular Linux distributions, such as Red Hat, Debian/Ubuntu and SUSE. Before using it, you have to set up an admin password by running the following:
sudo ntop --set-admin-password
And start it with:
sudo /etc/init.d/ntop start
Now you can go to your IP address (http://127.0.0.1:300) and look for some statistics. This is a very powerful tool that provides a lot of information. You can sort by packets, ports, hosts and so on. Network usage graphs also are helpful in determining the amount of traffic getting into your system.
Remember, no packets should be legitimate in Darknet, so this tool provides great statistical data as to what hosts/networks are responsible for illegal traffic.
Figure 5 shows ntop's graphic interface and its ability to detect host operating systems, vendor and other details in Host view.
Figure 6 presents standard ntop graph capabilities, thanks to built-in support for RRDTool.
To get alerts regarding what exploits are used (if any) on your network, you need a network IDS system. The best one that's publicly available is Snort. You can get it from www.snort.org, and it also is available on many systems as a binary package.
One thing you need to configure in /etc/snort/snort.conf is setting your $HOME_NETWORK variable to match IP addresses and netmask to your configuration. Snort is an intrusion detection system based on a pattern database.
If traffic matches, it will write an alert to a log file (by default in /var/log/snort) and record the packets for later analysis (you can reply to them using the tcpdump -r command or examine them using tools like Wireshark).
With powerful yet not complicated rules, you can write your own signatures or edit existing ones to record traffic that matches your custom criteria. Additionally, you can consider installing Snort support tools, such as IDScenter (see Resources).
There also is a Honeynet project, based on Snort and Sebek technologies. It provides a cut-down Linux system, based on Fedora and custom-built tools with a GUI for incident management (Figure 7).
If you want to go further, there also are projects, such as HIHAT (Highly Interactive Honeypot Analyses Toolkit), that transform popular PHP applications, such as PHPNuke or osCommerce, to fully functional logging, reporting and alerting tools.
You easily can detect commands and SQL injections, cross-site scripting and map involved IPs to geographic locations, as shown in Figure 8.
This simple configuration of putting a server on an internal Darknet allows us to detect and receive alerts on the following:
Actively spreading malware.
Covert channels and possible data leakage.
Suspicious activities (deliberate or not), such as abuse of a company's policy and network reconnaissance attempts (for example, port scanning).
Provide audit trails and record evidence for later investigation.
Provide general network usage statistics for base-lining.
|Dynamic DNS—an Object Lesson in Problem Solving||May 21, 2013|
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
- Dynamic DNS—an Object Lesson in Problem Solving
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- New Products
- Drupal Is a Framework: Why Everyone Needs to Understand This
- Validate an E-Mail Address with PHP, the Right Way
- A Topic for Discussion - Open Source Feature-Richness?
- Download the Free Red Hat White Paper "Using an Open Source Framework to Catch the Bad Guy"
- New Products
- The Secret Password Is...
3 hours 7 min ago
- Keeping track of IP address
4 hours 58 min ago
- Roll your own dynamic dns
10 hours 11 min ago
- Please correct the URL for Salt Stack's web site
13 hours 23 min ago
- Android is Linux -- why no better inter-operation
15 hours 38 min ago
- Connecting Android device to desktop Linux via USB
16 hours 6 min ago
- Find new cell phone and tablet pc
17 hours 4 min ago
18 hours 33 min ago
- Automatically updating Guest Additions
19 hours 42 min ago
- I like your topic on android
20 hours 28 min ago
Free Webinar: Hadoop
How to Build an Optimal Hadoop Cluster to Store and Maintain Unlimited Amounts of Data Using Microservers
Realizing the promise of Apache® Hadoop® requires the effective deployment of compute, memory, storage and networking to achieve optimal results. With its flexibility and multitude of options, it is easy to over or under provision the server infrastructure, resulting in poor performance and high TCO. Join us for an in depth, technical discussion with industry experts from leading Hadoop and server companies who will provide insights into the key considerations for designing and deploying an optimal Hadoop cluster.
Some of key questions to be discussed are:
- What is the “typical” Hadoop cluster and what should be installed on the different machine types?
- Why should you consider the typical workload patterns when making your hardware decisions?
- Are all microservers created equal for Hadoop deployments?
- How do I plan for expansion if I require more compute, memory, storage or networking?