Archive

Articles taggués ‘supervision’

Basic munin plugins for Snort

31/05/2023 Aucun commentaire

munin pluginsHere are some basic munin plugins for snort using perfmon (Enable preprocessor perfmonitor in snort.conf)
The snort.conf entry should look something like:

preprocessor perfmonitor: time 300 file /your/path/to/snort.stats pktcnt 5000

(Read the snort docs for more info on performance issues etc.)

Drop Rate:
http://download.gamelinux.org/snort/snort_drop_rate

Pattern Matching:
http://download.gamelinux.org/snort/snort_pattern_match

Traffic speed:
http://download.gamelinux.org/snort/snort_traffic

Alerts:
http://download.gamelinux.org/snort/snort_alerts

Avg KBytes/pkt:
http://download.gamelinux.org/snort/snort_bytes_pkt

Avg Pkts/sec:
http://download.gamelinux.org/snort/snort_pkts

Edit any one of them, to graph what you want from perfmon output. It should be easy!

And now I will test them myself!

Update:
Here is a picture to give you an idea on how the graphs looks:
http://download.gamelinux.org/snort/Snort-Munin-Plugins.pngsource: http://www.gamelinux.org/?p=32

source: GAMELINUX

Find all active IP addresses in a network

21/05/2023 Aucun commentaire

Today I found myself reconfiguring a wireless access point I hadn’t used in a very long time. I no longer have the manual (so I could reset it to factory defaults) nor do I remember what the obscure IP address I configured it with was. Luckily I do know what network it’s setup for ( 192.168.1.x ) but I don’t want to have to try to connect to all 254 IP addresses (192.168.1.1 through 192.168.1.254) as that would take quite some time.

So what I’m going to do is use Nmap a swiss army knife for network operators and system admins. What we’re going to do is use Nmap to scan the entire network and tell us which IP addresses are active. This will allow us to drastically reduce the number of IP addresses we have to try.

There are Nmap versions for all three major OS’s *nix, OS X and Windows. I’ll be showing you the syntax for the *nix/OS X version.

nmap -sP 192.168.1.0/24

replace 192.168.1.0/24 with whatever network it is you’re trying to scan.
The /24 is the netmask of the network in CDIR notation. If you need a cheat sheet you can find one here

Once you press return (or enter) Nmap will start to work pinging each and every IP address on your network and noting which ones respond and which don’t. (Note that if your device has a firewall that discards ping requests it will appear to be down to this scan)

You’ll quickly get an output similar to the following

Starting Nmap 4.50 ( http://insecure.org ) at 2008-08-19 10:15 PDT
HOST 192.168.1.25 appears to be up.
MAC Address: 0:0F:1F:4C:0B:E6 (WW Pcba Test)
Nmap finished: 256 IP addresses (3 hosts up) scanned in 5.711 seconds

Changer le mot de passe perdu de Webmin

15/05/2023 Comments off

Un jour vous pouvez resté bloqué par un mot de passe perdu pour accéder à Webmin et vous auriez besoin d’un moyen de le changer.

Voici comment: pour commencer, connectez-vous à votre système en ssh.Vous devez trouver où Webmin est installé et donc le chemin que le script utilisera pour réinitialiser le mot de passe. Lire la suite…

Monitor Network Connections in Mac OS X for Free with Private Eye

14/05/2023 Comments off

Source: OSXdaily

Private Eye is a free real-time network monitor app for Mac OS X that is extremely easy to use. Upon launching the app, you’ll start to see all open network connections by application and process, and you can then filter connections by app, monitor all open connections, or watch only incoming or outgoing transfer.

private-eye-network-connection-monitor-mac

Connections are reported by application, the time of the connection, and arguably the most useful, the IP address that is being connected to by the app, making it easy to see socket and routing data, letting you know exactly what app is communicating with what server or IP address, for both local and broader internet networks. If you have any interest in networking, privacy, security, or you just want to keep an eye on what apps are connecting to the internet and to where, you should download this app, but it’s also an amazingly useful tool for troubleshooting network problems and figuring out what is using the network.

 

Download and install Private Eye by putting it into your /Applications/ folder, then open PrivateEye to get started. The list of open network connections is easy to read, you’ll see a time stamp of the connection, the application name, and where the connection is going to by IP (or coming from, as determined by the arrow pointing left for in, or right for out).

private-eye-connections

Using the left side menu you can quickly break down connections to see them all, only show incoming transfers, outgoing connections, or display connections by specific application only. Apps are easy to identify in this list, as are daemons running in the background (like PubSubAgent), and command line processes belonging to the user are also visible (ssh, for example).

This is a simple yet powerful tool without the complexity or the learning curves related to compiling and using the command line tools lsof, watch, open_ports, or wireshark, and is therefore highly recommended for anyone who is interested in seeing this kind of information, whether it’s out of general curiosity, or to help troubleshoot and diagnose specific network activities.

How to set up web-based network traffic monitoring system on Linux

26/03/2023 Comments off

When you are tasked with monitoring network traffic on the local network, you can consider many different options to do it, depending on the scale/traffic of the local network, monitoring platforms/interface, types of backend database, etc.

ntopng is an open-source (GPLv3) network traffic analyzer which provides a web interface for real-time network traffic monitoring. It runs on multiple platforms including Linux and MacOS X. ntopng comes with a simple RMON-like agent with built-in web server capability, and uses Redis-backed key-value server to store time series statistics. You can install ntopng network traffic analyzer on any designated monitoring server connected to your network, and use a web browser to access real-time traffic reports available on the server.

In this tutorial, I will describe how to set up a web-based network traffic monitoring system on Linux by using ntopng.

Features of ntopng

  • Flow-level, protocol-level real-time analysis of local network traffic.
  • Domain, AS (Autonomous System), VLAN level statistics.
  • Geolocation of IP addresses.
  • Deep packet inspection (DPI) based service discovery (e.g., Google, Facebook).
  • Historical traffic analysis (e.g., hourly, daily, weekly, monthly, yearly).
  • Support for sFlow, NetFlow (v5/v9) and IPFIX through nProbe.
  • Network traffic matrix (who’s talking to who?).
  • IPv6 support.

Install ntopng on Linux

The official website offers binary packages for Ubuntu and CentOS. So if you use either platform, you can install these packages.

If you want to build the latest ntopng from its source, follow the instructions below. (Update: these instructions are valid for ntopng 1.0. For ntopng 1.1 and higher, see the updated instructions).

To build ntopng on Debian, Ubuntu or Linux Mint:

$ sudo apt-get install libpcap-dev libglib2.0-dev libgeoip-dev redis-server wget libxml2-dev
$ tar xzf ntopng-1.0.tar.gz -C ~
$ cd ~/ntopng-1.0/
$ ./configure
$ make geoip
$ make

In the above steps, “make geoip” will automatically download a free version of GeoIP databases with wget from maxmind.com. So make sure that your system is connected to the network.

To build ntopng on Fedora:

$ sudo yum install libpcap-devel glib2-devel GeoIP-devel libxml2-devel libxml2-devel redis wget
$ tar xzf ntopng-1.0.tar.gz -C ~
$ cd ~/ntopng-1.0/
$ ./configure
$ make geoip
$ make

To install ntopng on CentOS or RHEL, first set up EPEL repository, and then follow the same instructions as in Fedora above.

Configure ntopng on Linux

After building ntopng, create a configuration directory for ntopng, and prepare default configuration files as follows. I assume that “192.168.1.0/24” is the CIDR address prefix of your local network.

$ sudo mkir /etc/ntopng -p
$ sudo -e /etc/ntopng/ntopng.start
--local-networks "192.168.1.0/24"
--interface 1
$ sudo -e /etc/ntopng/ntopng.conf
-G=/var/run/ntopng.pid

Lire la suite…