I’ve been having fun with what I expect will be my last weekend of hardcore geeking with my gear at home for a while. Once Baby Thingelstad arrives I’ll have more important things to do!
This weekend I jammed on two tools. First is Snort, which I have setup in a network intrusion detection mode. I now have one of my Fedora boxes listening on an unnumbered interface to all traffic on my gateway. Snort, with the appropriate ruleset, watches all traffic over the wire and takes note of anything suspicious. Snort then logs this to a mysql database and I’m using BASE to review the information. BASE is nothing to get excited about, but it seems to be the best out there.
I am getting some interesting information out of this rig. I’m pretty amazed at how many times SQL Slammer is still hitting me. It tries to get to me about every 20 minutes. Code Red is less active than it was before, but it’s still out there. Perhaps oddest of all is whoever is at hammurabi.acc.umu.se who is hitting Road Sign Math with a large ICMP packet on a seemingly random interval all day.
The other tool I got going this weekend is Cacti. Cacti is a better (I think?) and easier to use (without a question) SNMP graphing tool than MRTG. I’m going to leave MRTG and Cacti running in parallel probably for ever. Some things I like better in MRTG than Cacti. Cacti uses RRDTool 1.2 (as opposed to 1.0) and generates these super nice images with anti-aliasing and robust font support (static image for example, as compared to).
I’d share access to these tools with you like I do with MRTG and my web logs but they require logins and I also don’t know that I want people being able to see attack alerts my intrusion detection system is throwing. You can admire the login pages from the links at the bottom of the page. As a side benefit of this work I’ve now designated a Linux server as a first-class citizen in my server setup and can now deploy other packages on it in the future if I want.