Implementing a Generalized Tool for Network Monitoring: (Best Paper Award!)

摘要: Determining how you were attacked is essential to developing a response or countermeasure. Usually, system network manager presented with successful intrusion has very little information which work: possibly corrupted log, firewall and perhaps some tcpdump output. When hackers come up new technique for cracking network, it often takes the security community while determine method being used. In aviation, an aircraft's "black box" used analyze details of crash. We believe similar capability needed networks. Being able quickly learn attack works will shorten effective useful lifetime attack. Additionally, recovered records may be helpful in tracking prosecuting attacker. Since we've developed general purpose statistics-gathering system, we more than just security. For example, desire historical record usage growth certain applications, about breakdown types traffic at different times day. Such provide managers diagnosing performance problems planning growth. This paper describes architecture toolkit building analysis statistical event records: The Network Flight Recorder. NFR uses promiscuous packet interface pass visible into internally meta-programmed decision engine routes packets their contents logging backends. addition collection, NFR's internal permits sample interesting portions analysis. programming language simple, but powerful enough that can perform reasonable on before choosing it. might SMTP transactions only choose those relating user who sending spam abusive E-mail. includes generating alert messages rest queues, multiplexes, delivers. A simplified hyper-query allows extensive browsing stored datasets statistics from any Java-enabled browser. currently deployed number ISPs commercial sites, available download source code form www.nfr.net.