My setup 4.9 stable with IPFW. Machine acts as gateway for two machines. What are my options on monitoring activity on my external card? This morning I noticed my DSL modem activity light is blinking non-stop. Looking at /var/log/ don't see anything suspicious. I feel tempted to add "log" to all my ipfw pass rules, but wonder if there isn't a better way. I am mostly concerned there is either some kind of attack going on or somehow the machine was hacked and it's running something it's not supposed to.
On 03 mars 2004, at 10:51, Francisco Reyes wrote:> My setup 4.9 stable with IPFW. Machine acts as gateway for two > machines. > > What are my options on monitoring activity on my external card? > > This morning I noticed my DSL modem activity light is blinking > non-stop. > Looking at /var/log/ don't see anything suspicious. > > I feel tempted to add "log" to all my ipfw pass rules, but wonder if > there > isn't a better way. > > I am mostly concerned there is either some kind of attack going on or > somehow the machine was hacked and it's running something it's not > supposed to.If you really want some real-time control, you might want to try tcpdump, But you'll soon be flooded by the data. Best practice it probabely to put some log rules to your IPFW and then use a log parser to get some stats from your that. You can also add an IDS of some sort, and checkrootkit on a crontab. patpro -- je cherche un poste d'admin-sys Mac/UNIX (ou une jeune et jolie femme riche) http://patpro.net/cv.php
Francisco Reyes wrote:> My setup 4.9 stable with IPFW. Machine acts as gateway for two machines. > > What are my options on monitoring activity on my external card? > > This morning I noticed my DSL modem activity light is blinking non-stop. > Looking at /var/log/ don't see anything suspicious. > > I feel tempted to add "log" to all my ipfw pass rules, but wonder if there > isn't a better way. > > I am mostly concerned there is either some kind of attack going on or > somehow the machine was hacked and it's running something it's not > supposed to.I like trafshow for watching it "live". Eric -- ------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology Today is the tomorrow you worried about yesterday. ------------------------------------------------------------------
?????? Francisco, Wednesday, March 3, 2004, 12:51:15 PM, you wrote: FR> My setup 4.9 stable with IPFW. Machine acts as gateway for two machines. FR> What are my options on monitoring activity on my external card? FR> This morning I noticed my DSL modem activity light is blinking non-stop. FR> Looking at /var/log/ don't see anything suspicious. FR> I feel tempted to add "log" to all my ipfw pass rules, but wonder if there FR> isn't a better way. FR> I am mostly concerned there is either some kind of attack going on or FR> somehow the machine was hacked and it's running something it's not FR> supposed to. You also may try sniffit - shows current tcp/udp streams in curses windows. Easy to undestend from where to start searching. -- ? ?????????? ???????????, Andrew mailto:resident@b-o.ru
On Wed, Mar 03, 2004 at 09:51:15AM +0000, Francisco Reyes wrote:> My setup 4.9 stable with IPFW. Machine acts as gateway for two machines. > > What are my options on monitoring activity on my external card? > > This morning I noticed my DSL modem activity light is blinking non-stop. > Looking at /var/log/ don't see anything suspicious. > > I feel tempted to add "log" to all my ipfw pass rules, but wonder if there > isn't a better way. > > I am mostly concerned there is either some kind of attack going on or > somehow the machine was hacked and it's running something it's not > supposed to.There are a lot of utilities in the ports collection that will allow you to monitor your network activity. One small and useful one is at net/trafshow. It's not fancy, but it is curses based and will give you a quick idea of what is going on. Other considerations might be ntop or ethereal. Nathan -- gpg --keyserver pgp.mit.edu --recv-keys D8527E49 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20040303/fa7c3916/attachment.bin
> What are my options on monitoring activity on my external card?Eric Anderson has recommended you "trafshow". It is excellent to have a quick look to your traffic. If you want to store historic data, and you need to have a look at the flows avoiding the packet-level detail, the best is Argus, available in the ports collection. Have a look at the Argus homepage: http://www.qosient.com/argus Regards, Borja.