@RISK Online - The Security Blog
1 user(s) online.
Introduction
Thursday, April 14, 2005
iptraffic - Official Beta Release
All right, enough messing around with this. I'm putting out an
"Official Beta Release". The original ZIP release posted on March
15th has been downloaded almost 1,000 times in just under a month!
I'm extremely happy with all the interest, and I want to make this
a little bit easier.
I'm not yet ready to release the web-front end yet. It's
VERY basic. Instead, I've packaged the code with a large INSTALL.TXT
file included. This has details on setting up your system to use
iptraffic, as well as some sample .SQL queries so you can get a general
idea of where I'm headed with the project.
Please grab a copy of the Official Beta Release:
iptraffic-v0.01.zip
iptraffic is an attempt to learn more about network protocols,
PERL, and MySQL database by integrating the three components into a
useful tool. My goal is to develop a sniffer written entirely in
PERL and capture the network traffic into a MySQL database. This will
be used to develop network statistics such as protocol distributions
and bandwidth utilization. Once that goal has been realized, this
tool will be used as a foundation for a statistical anomaly
detection engine. I have a phased approach to this overall
project
- Phase 1: Write a PERL sniffer that can identify and decode
as many network protocols as I can put together. PERL has packages to
decode Ethernet, IP, TCP, UDP, ARP, and STP. Phase I will incorporate
those protocols.
- Phase 2: Take resulting traffic as its sniffed and parse
it into a normalized database schema. I've come up with a schema
based on the field information provided for each protocol. This is
being enhanced as I write more decodes and figure out how to link the
various tables together for tracking purposes. Options will exist to
send output to Screen, File, and Database.
- Phase 3: Perform analysis of traffic to produce a table of hosts
with their provided services. As the table is developed, hosts would
be manually verified, and the host/service pairs would then be flagged
as "validated". This is a precursor step to developing an Anomaly
Detection database. New host/service pairs would be flagged as
"anomalies" to be validated. This could provide some level of
protection against 0-day exploits.
- Phase 4: Perform analysis of traffic to determine traffic
flow across subnets. The goal is to be able to get a high level
understanding of traffic patterns to aid the development of network
ACLs.
- Phase 5: To Be Determined...
Following pages include instrutions for your
initial setup as well as a basic
database schema, and a historical
change log.
Please bear in mind, this is a learning project. The code is
VERY basic. I'm certain there are better, and more efficient ways
of accomplishing the work I'm doing. For that reason, I welcome your
comments and feedback.
If you have a way to improve the performance; if you see a mistake or
flaw in my logic or coding, please contact me and let me know. My
goal here is to learn.
|
Blogroll Me!
Navigation:
Home
Archives
About Me
Articles
Email
News Feed
Projects
My Blogroll:
Security Advisories:
Anti-Phishing
AUSCERT
BugBlog
CERIAS
CERT
CIAC
Cisco Advisories
F-Secure
iDefense
ISS XForce
McAfee
Windows Security
Oracle Alerts
Secunia
Security Corporation
Security Focus
Security Tracker
SGI Advisories
Sun Alerts
Symantec
Trend Micro
Zone-H
Defacements Archive:
Zone-H Digital Archive
Security News:
DShield
Help Net Security
Internet Storm Center
Linux Security
NewsNow: Encryption/Security
NewsNow: Hacking
Packet Storm
Securiteam
Security News Portal
Security Stats
Security Focus
Risks Digest
Zone-H
Security Tools:
Packet Storm
Astalavista
Help Net Security
Packet Factory
Security Focus
|
