BSDCan Banner
Call for papers

More Tools for Network Security Monitoring

The purpose of this talk is to improve an administrator's awareness of the hosts and services on a network using open source tools. First I will introduce dhcpdump, a tool to sniff DHCP traffic. Admins can use this tool to keep track of IP addresses assigned to systems as they join a network, independent of any logs kept by the DHCP server. Next I will explain the Passive Asset Detection System (PADS), a tool which watches network traffic and records the services it sees. This program helps an admin passively enumerate services; it is not an active assessment application like Nessus.

After PADS, I will describe P0f. This tool determines the operating system of hosts it sees communicating on the network. It complements PADS, which does not make OS guesses.

Finally I will provide information on the Security Analyst Network Connection Profiler (SANCP). SANCP is a session data collection program which passively summarizes conversations on the network. It can track TCP flows and estimates sessions for stateless protocols like UDP and ICMP. SANCP is integrated with Sguil, the subject of my talk at BSDCan 2004.

All of these programs work on UNIX and most are in the FreeBSD ports tree. I will give installation instructions and sample output from each. Should I have any extra time to spare, I may cover other open source tools for NSM purposes. I have a few others in mind already. I'll probably build a case study around using these tools.

speaker: Richard Bejtlich

location not assigned

Hotel + Travel
About Ottawa

Help out!
Contact Us
What is BSD?

BSDCan 2004
BSDCan 2005
BSDCan 2006
BSDCan 2007
BSDCan 2008
BSDCan 2009
BSDCan 2010
BSDCan 2011
BSDCan 2012
BSDCan 2013
BSDCan 2014
BSDCan 2015
BSDCan 2016
BSDCan 2017
BSDCan 2018
BSDCan 2019
Copyright © 2003-2011 BSDCan. All rights reserved.
Valid HTML, and CSS