You need to know the current state of the network, who is probing your network and services, who is consuming your bandwidth, what are the stuffs running in your network, the main question remains - How much you know about your network?
Then people talk about Situational Awareness, in fact Wikipedia has well-versed explanation about it where you can find here.
As network security operator, we look at Network Situational Awareness, in fact you can use Argus 3 for this purpose, I'm going to discuss about it here. There are few argus client tools that can be used for near Real Time Network Situational Awareness -
Then people talk about Situational Awareness, in fact Wikipedia has well-versed explanation about it where you can find here.
As network security operator, we look at Network Situational Awareness, in fact you can use Argus 3 for this purpose, I'm going to discuss about it here. There are few argus client tools that can be used for near Real Time Network Situational Awareness -
- ratop
- rasql/rasqlinsert
- ralabel
Ratop works just like top, it can connect to argus monitor and show network flow data in near real time view, it also offers vi-like feature, where you can use / to search for flows, and : as command mode to perform various actions such as network flow record filtering/sorting, flow record field reordering, or even extract flow record based on certain timespan in real time. To run ratop, you must have argus monitor running first -
shell>argus -mAJZRU 128 -P 561
Use ratop to connect to the argus monitor -
shell>ratop -S localhost:561
Here's the ratop screenshot -
To quit ratop, it is similar to exiting vi editor, just type :q and you will disconnect from argus monitor. You can see that ratop is very useful when comes to monitor your network in real time, while it doesn't offer you insightful information, it gives quick view of the layer2/3 network conversation. Other features such as sorting can be toggled on with :s, or filtering with :f.
This is considered part 1 which I have ratop covered, and for part 2 I'm going to discuss about rasql/rasqlinsert, then I will introduce ralabel in part 3. All of them are very effective tools for Network Situational Awareness.
Enjoy (:])
This is considered part 1 which I have ratop covered, and for part 2 I'm going to discuss about rasql/rasqlinsert, then I will introduce ralabel in part 3. All of them are very effective tools for Network Situational Awareness.
Enjoy (:])
1 comment:
http://www.qosient.com/argus/anonymization.htm mentions that Argus can "capture of payload data" for "protocol identification, protocol conformance verification and validation". Have you tried this with Argus? How might you use Argus to do this?
Post a Comment