[ Search ] [ What's New? ] [ About ] [ Bugs ] [ Misc ] [ Mailing Lists ] [ Newgroups ] [ NewsWire ] [ Papers ] [ People ] [ Pictures ] [ Publications ] [ Responce Teams ] [ Tools ] [ Upcoming Events ] [ Web Sites ] Monitoring Tools Title: netlog Authors: Mark (maf+@osu.edu) Abstract: Set of perl scripts to monitor and log ARP request on an ethernet. Title: arpwatch Authors: Lawrence Berkeley Laboratory, Network Reseach Group Abstract: Arpwatch is a tool that monitors ethernet activity and keeps a database of ethernet/ip address pairings. It also reports certain changes via email. Arpwatch uses libcap, a systemindependent interface for userlevel packet capture. Title: clog 0.0.2 Authors: Brian Mitchell Abstract: clog is a program that logs all connections on your subnet. It uses the pcap packet capture library to log any SYN packets to a logfile. The output format is designed to be very easily parsed by various text processing tools. Title: Gabriel v1.0 Authors: Los Altos Technologies, Inc. Abstract: Gabriel gives the system administrator an early warning of a possible network intrusion by detecting and identifying unauthorized network probing. Gabriel's highlights: Ready to run for Sun Solaris1 and Solaris2 operating systems. Full source included. Perl IS NOT required. Test script included to simplify evaluation of Gabriel. Builtin mechanism to send realtime alerts via pager, phone call, email, or online displays. For Solaris1 and Solaris2 systems. Title: arpwatch Authors: Laurent Demailly Abstract: IcmpInfo monitors incoming ICMP packets. It can be used to detect and record 'bombs' as well as various network problems. Title: loginlog Authors: Mark Abstract: Monitors utmp and alerts you when someone logs in. Title: netlog Authors: Free Software Foundation Inc. Abstract: An advanced network sniffer system to monitor your networks. These programs are a part of the network security system used by Texas A&M University. It can be used for locating suspicious network traffic. The following programs are included: Title: NFSTrace Authors: Matt Blaze Abstract: This is the rpcspy/nfstrace package. It is described in detail in the paper "NFS Tracing by Passive Network Monitoring", which appeared in the January, 1992 USENIX conference. You'll need either a DEC machine running ULTRIX (with the packetfilter installed in the kernel) or a Sun running SunOS 4.x (with NIT). Or you'll need to do a bit of hacking. Title: NFSWatch Authors: Dave Curry Jeff Mogul Abstract: It lets you monitor NFS requests to any given machine, or the entire local network. It mostly monitors NFS client traffic (NFS requests); it also monitors the NFS reply traffic from a server in order to measure the response time. Title: NOCOL/NetConsole v4.01 Authors: Vikas Aggarwal Abstract: NOCOL/Netconsole (Network Operation Center OnLine) is a network monitoring package that runs on Unix platforms and is capable of monitoring network and system variables such as ICMP or RPC reachability, RMON variables, nameservers, ethernet load, port reachability, host performance, SNMP traps, modem line usage, appletalk & novell routes/services, BGP peers, etc. The software is extensible and new monitors can be added easily. Title: swatch Authors: Todd Atkins Abstract: A simple watcher that is designed to monitor system activity. Title: Tap Authors: Simon Ney Abstract: This is the STREAMS pushablemodule/driver tap. This module will monitor a stream. Title: TCP Alert Authors: Dana Nowell Abstract: Small program thats sits in a TCP port listening for connections and logs any such attempts. Title: tcp_wrappers Authors: Wietse Venema Abstract: With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services. Title: tocsin Authors: Doug Hughes Abstract: This program will catch port scanners that use SYN probes without actually opening up a connection. It works as a good supplement to klaxon. You only need 1 tocsin process per subnet. Assumming you run it on a shared subnet, it will catch probes on any machine on that subnet. If your machine has multiple subnets, it will default to le0, but you can change that with the -i option. Title: ttysnoop Authors: Carl Declerck Abstract: The package allows you to snoop on login tty's through another ttydevice or pseudotty. The snoop-tty becomes a 'clone' of the original tty, redirecting both input and output from/to it. Title: xc Authors: der Mouse Abstract: I now have a program that behaves superfically like xconns, but with some significant differences: It uses RFC931 to display usernames, when the client host supports RFC931. It allows the user to freeze (and unfreeze) connections, or kill them, independent of the client, and very importantly independent of the server. The KillClient request can be used to forcibly disconnect a client from the server, but only if the client has created a resource, which (for example) neither xkey nor xcrowbar does. It monitors the connection, and if it sees certain dubious requests (currently configurable only by hacking on the source), it pops up a little menu with which the user can allow the request, have it replaced with a NoOperation request, or kill the connection. The dubious requests are, at present, requests to change the host access list, requests to enable or disable access control, and ChangeWindowAttributes requests operating on nonroot windows not created by the same client. Aleph One / aleph1@underground.org Copyright © 1996 Computer Underground Society. All rights reserved.