Date: Wed, 5 Jan 2011 13:44:57 -0500 From: Kevin Wilcox <kevin.wilcox@gmail.com> To: David Brodbeck <gull@gull.us> Cc: freebsd-questions@freebsd.org Subject: Re: Bot? Message-ID: <AANLkTimQy3H5HHGBGqd9JET22GH0ygWOh8DBta310SpY@mail.gmail.com> In-Reply-To: <AANLkTinOewwzjMigG_Bn0%2BZL7GzvfL7Nq_FGBHyCNbsj@mail.gmail.com> References: <4D249129.6090008@webtent.net> <4D249298.9080706@nrdx.com> <AANLkTi=%2B=FGeQevAnxii6m2XK7i%2B617Mt4EkQfd2Ucv0@mail.gmail.com> <AANLkTinOewwzjMigG_Bn0%2BZL7GzvfL7Nq_FGBHyCNbsj@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5 January 2011 13:25, David Brodbeck <gull@gull.us> wrote: > On Wed, Jan 5, 2011 at 8:15 AM, Kevin Wilcox <kevin.wilcox@gmail.com> wro= te: >> To really see what your machine is doing, consider taking a look at >> the network flows. pfflowd, netflowd, ipaudit and a host of others can >> get you flow data with mostly minimal overhead. > Also, keep in mind that depending on how badly the machine has been > compromised, you may not be able to trust the output of utilities > running on the machine itself. =C2=A0You may have to resort to capturing > its network traffic on another machine for analysis. That's an excellent point. A span port from the upstream switch/router would be ideal unless you've verified, through mechanisms external to the machine (known good test media), the tools on that machine are trustworthy. kmw
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTimQy3H5HHGBGqd9JET22GH0ygWOh8DBta310SpY>