Network Monitoring and Data Collection The following tools not only report data from logs, they also collect data from diverse sources. Note that some of these tools are starting to tread pretty close to the Intrusion Detection space, which we covered in detail in Chapter 12, "Intrusion Detection Systems (IDS)." It will be interesting to see whether the two types of utilities will interoperate over time. SWATCH (The System Watcher) The authors wrote SWATCH to supplement logging capabilities of out-of-the-box UNIX systems. SWATCH, consequently, has logging capabilities that far exceed your run-of-the-mill syslog. SWATCH provides real-time monitoring, logging, and reporting. Because SWATCH is written in Perl, it's both portable and extensible. SWATCH has several unique features: A "backfinger" utility that attempts to grab finger information from an attacking host. Support for instant paging (so you can receive up-to-the-minute reports). Conditional execution of commands. (If this condition is found in a log file, do this.) Lastly, SWATCH relies on local configuration files. Conveniently, multiple configuration files can exist on the same machine. Therefore, although originally intended only for system administrators, any local user with adequate privileges can use SWATCH. Author: Stephen E. Hansen and E. Todd Atkins Platform: UNIX (Perl is required) URL: http://packetstorm.securify.com/UNIX/IDS/swatch-3.0b4.tar.gz Watcher Kenneth Ingham developed Watcher while at the University of New Mexico Computing Center. He explains that the Computing Center was being expanded at the time. As a result, the logging process they were then using was no longer adequate. Ingham was looking for a way to automate log scanning. Watcher was the result of his labors. Watcher analyzes various logs and processes, looking for radically abnormal activity. (The author sufficiently fine-tuned this process so that Watcher can interpret the widely variable output of commands such as ps without setting off alarms.) Watcher runs on UNIX systems and requires a C compiler. Kenneth Ingham Kenneth Ingham Consulting 1601 Rita Dr. NE Albuquerque,NM 87106-1127 Phone: 505-262-0602 Email: ingham@i-pi.com URL: http://www.i-pi.com/watcher.html lsof (List Open Files) lsof version 4 traces not simply open files (including network connections, pipes, streams, and so on), but the processes that own them. lsof runs on many UNIX systems, including but not limited to the following: AIX BSDI BSD/OS NetBSD 1.[23] for Intel and SPARC-based systems FreeBSD Digital UNIX (DEC OSF/1) HP-UX IRIX Linux NEXTSTEP 3.1 for NEXTSTEP architectures SCO UnixWare Solaris and SUN OS Author: Vic Abell Platform: UNIX URL: ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ Private-I Private-I has two primary functions. First, it serves as a back-end log archiver for Cisco IOS-based routers, PIX and Checkpoint firewalls, and RedCreek VPN devices. Second, it is capable of generating real-time alerts based on known firewall and IOS event codes. Because Private-I has been designed to process the vendor-specific event codes piped to it via syslog, it can alert administrators of problems in real-time, as well as produce informative reports. OpenSystems.com 55 West St. Walpole,MA02081 USA Phone: 508-668-2460 URL: http://www.opensystems.com WebSense Though WebSense is best known for its screening capabilities, the product also has powerful logging capabilities. (These have recently been enhanced as the product has been designed to work closely with PIX firewalls from Cisco.) WebSense, Inc. World Headquarters 10240 Sorrento Valley Rd. San Diego,CA 92121 Phone: 858-320-8000 Fax: 858-458-2950 Email: info@websense.com URL: http://www.websense.com/ Win-Log version 1 Win-Log is a very simple utility for Windows NT. It logs when, how often, and how long Windows NT is used. (You can use this utility to ascertain whether someone has been rebooting your box, even if they somehow circumvent Event Logger.) iNFINITY Software Email: jcross@griffin.co.uk URL: http://www.isoft.demon.co.uk/ NOCOL/NetConsole v4 NOCOL/NetConsole v4.0 is a suite of standalone applications that perform a wide variety of monitoring tasks. This suite offers a Curses interface, which is great for running on a wide range of terminals. (It does not require X to work.) It is extensible, has support for a Perl interface, and operates on networks running AppleTalk and Novell. NOCOL/NetConsole v4 Location: ftp://ftp.navya.com/pub/ |