more on passports for Toronto NANOG...
Very little here that we don't already know: http://news.yahoo.com/s/ap/20061122/ap_on_go_ot/passports_air_travel *except* for the bit in the third from last paragraph about the startlingly large percentages (between 25 and 42%) of Americans traveling to Canada, Mexico, and the Caribbean who don't have passports. While the article doesn't come right out and say it, I won't be surprised if there's a big backlog at the passport office due to people suddenly realizing they need something they've never had to have before. Toronto NANOG is only about 70 days away. If you're planning on going and don't yet have a passport, getting your paperwork in ASAP would be a Good Plan. ---Rob
analyse tcpdump output
Hi, I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output. It would be helpful to get a diff between SYN and ACK's e.g. Or look for a pattern in a URL. Or just get some timediffs e.g. when an ACK is send but client is waiting for data etc. We would like to decrease time to investigate the cause for an unusual network behaviour. Best Stefan -- Stefan Hegger Internet System Engineer [EMAIL PROTECTED] Tel: +49 5241 8071 334 Lycos Europe GmbH Carl-Bertelsmann Str. 29 Postfach 315 33311 Gütersloh
Re: analyse tcpdump output
On 11/22/06, Stefan Hegger [EMAIL PROTECTED] wrote: Hi, I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output. It would be helpful to get a diff between SYN and ACK's e.g. Or look for a pattern in a URL. Or just get some timediffs e.g. when an ACK is send but client is waiting for data etc. We would like to decrease time to investigate the cause for an unusual network behaviour. Best Stefan -- Stefan Hegger Internet System Engineer [EMAIL PROTECTED] Tel: +49 5241 8071 334 Lycos Europe GmbH Carl-Bertelsmann Str. 29 Postfach 315 33311 Gütersloh http://www.wireshark.org -- Rodrick R. Brown http://groups.yahoo.com/group/wallstandtech
RE: analyse tcpdump output
-Original Message- I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output. It would be helpful to get a diff between SYN and ACK's e.g. Or look for a pattern in a URL. Or just get some timediffs e.g. when an ACK is send but client is waiting for data etc. For anomaly detection there is Ourmon. It can be downloaded at: http://jerry.cat.pdx.edu/ourmon/download.html You can preview it running at Portland State University at: http://jerry.cat.pdx.edu/ourmon/ However, I believe this isn't as detailed or low-level as what you're looking for. In any case, it's a great tool for seeing unusual patterns or strange behavior on your network. Tony
Re: BGP analyzing tool
On 11/22/06, Jim McBurnett [EMAIL PROTECTED] wrote: I guess this would be a good time to ask if anyone knows the status of the netlantis project. currently dead, but not indefinitely AFAIK
Re: analyse tcpdump output
Do people still use snort for this? snort -r filename, IIRC -w Le mercredi 22 novembre 2006 à 16:34 +0100, Stefan Hegger a écrit : Hi, I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output. It would be helpful to get a diff between SYN and ACK's e.g. Or look for a pattern in a URL. Or just get some timediffs e.g. when an ACK is send but client is waiting for data etc. We would like to decrease time to investigate the cause for an unusual network behaviour. Best Stefan
Re: analyse tcpdump output
On Wednesday 22 November 2006 09:34, Stefan Hegger wrote: Hi, I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output. It would be helpful to get a diff between SYN and ACK's e.g. Or look for a pattern in a URL. Or just get some timediffs e.g. when an ACK is send but client is waiting for data etc. We would like to decrease time to investigate the cause for an unusual network behaviour. Best Stefan Here are my suggestions: 1. [NOTE: I am biased toward this one, for some personal reasons ;)] I would highly recommend you to read some of the papers of the gold certified SANS people - start here: http://www.giac.org/certified_professionals/listing/gcia_100_781.php 2. Another option is getting Richard Bejtlich's books Intrusion Detection ... Extrusion Detection ... and getting some ideas from that material. Regards, [another] Stefan
Re: analyse tcpdump output
On Nov 22, 2006, at 12:37 PM, Netfortius wrote: I wonder if someone knows a tool to use a tcpdump output for anomaly dedection. It is sometimes really time consuming when looking for identical patterns in the tcpdump output. For this sort of thing, you can do it far more scalably with NetFlow. There are several good commercial NetFlow-based anomaly- detection systems (Arbor, Lancope, Narus, Q1, etc.) and even an open- source project (currently fallow) called Panoptis. --- Roland Dobbins [EMAIL PROTECTED] // 408.527.6376 voice All battles are perpetual. -- Milton Friedman
