 

[ Search ] [ What's New? ] [ About ] 
[ Bugs ] [ Misc ] [ Mailing Lists ] [ Newgroups ] [ NewsWire ] [ Papers ] [ People ] 
[ Pictures ] [ Publications ] [ Responce Teams ] [ Tools ] [ Upcoming Events ] [ Web Sites ] 

Monitoring Tools

 Title: netlog
 Authors: Mark (maf+@osu.edu)
 Abstract:

   Set of perl scripts to monitor and log ARP request on an ethernet.

 Title: arpwatch
 Authors: Lawrence Berkeley Laboratory, Network Reseach Group
 Abstract:

   Arpwatch is a tool that monitors ethernet activity and keeps a database of ethernet/ip
   address pairings. It also reports certain changes via email. Arpwatch uses libcap, a
   systemindependent interface for userlevel packet capture. 

 Title: clog 0.0.2
 Authors: Brian Mitchell
 Abstract:

   clog is a program that logs all connections on your subnet. It uses the pcap packet capture
   library to log any SYN packets to a logfile. The output format is designed to be very easily
   parsed by various text processing tools.

 Title: Gabriel v1.0
 Authors: Los Altos Technologies, Inc.
 Abstract:

   Gabriel gives the system administrator an early warning of a possible network intrusion by
   detecting and identifying unauthorized network probing. Gabriel's highlights: Ready to run
   for Sun Solaris1 and Solaris2 operating systems. Full source included. Perl IS NOT required.
   Test script included to simplify evaluation of Gabriel. Builtin mechanism to send realtime
   alerts via pager, phone call, email, or online displays. For Solaris1 and Solaris2 systems.

 Title: arpwatch
 Authors: Laurent Demailly <dl@obspm.fr>
 Abstract:

   IcmpInfo monitors incoming ICMP packets. It can be used to detect and record 'bombs' as
   well as various network problems.

 Title: loginlog
 Authors: Mark <mark@blackplague.gmu.edu>
 Abstract:

   Monitors utmp and alerts you when someone logs in.

 Title: netlog
 Authors: Free Software Foundation Inc.
 Abstract:

   An advanced network sniffer system to monitor your networks. These programs are a part
   of the network security system used by Texas A&M University. It can be used for locating
   suspicious network traffic. The following programs are included:

 Title: NFSTrace
 Authors: Matt Blaze <mab@cs.princeton.edu>
 Abstract:

   This is the rpcspy/nfstrace package. It is described in detail in the paper "NFS Tracing by
   Passive Network Monitoring", which appeared in the January, 1992 USENIX conference.
   You'll need either a DEC machine running ULTRIX (with the packetfilter installed in the
   kernel) or a Sun running SunOS 4.x (with NIT). Or you'll need to do a bit of hacking.

 Title: NFSWatch
 Authors: Dave Curry Jeff Mogul
 Abstract:

   It lets you monitor NFS requests to any given machine, or the entire local network. It mostly
   monitors NFS client traffic (NFS requests); it also monitors the NFS reply traffic from a
   server in order to measure the response time.

 Title: NOCOL/NetConsole v4.01
 Authors: Vikas Aggarwal
 Abstract:

   NOCOL/Netconsole (Network Operation Center OnLine) is a network monitoring package
   that runs on Unix platforms and is capable of monitoring network and system variables such
   as ICMP or RPC reachability, RMON variables, nameservers, ethernet load, port
   reachability, host performance, SNMP traps, modem line usage, appletalk & novell
   routes/services, BGP peers, etc. The software is extensible and new monitors can be added
   easily.

 Title: swatch
 Authors: Todd Atkins
 Abstract:

   A simple watcher that is designed to monitor system activity.

 Title: Tap
 Authors: Simon Ney <neural@cs.tu-berlin.de>
 Abstract:

   This is the STREAMS pushablemodule/driver tap. This module will monitor a stream.

 Title: TCP Alert
 Authors: Dana Nowell
 Abstract:

   Small program thats sits in a TCP port listening for connections and logs any such attempts.

 Title: tcp_wrappers
 Authors: Wietse Venema <wietse@wzv.win.tue.nl>
 Abstract:

   With this package you can monitor and filter incoming requests for the SYSTAT, FINGER,
   FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services.

 Title: tocsin
 Authors: Doug Hughes
 Abstract:

   This program will catch port scanners that use SYN probes without actually opening up a
   connection. It works as a good supplement to klaxon. You only need 1 tocsin process per
   subnet. Assumming you run it on a shared subnet, it will catch probes on any machine on
   that subnet. If your machine has multiple subnets, it will default to le0, but you can change
   that with the -i option.

 Title: ttysnoop
 Authors: Carl Declerck
 Abstract:

   The package allows you to snoop on login tty's through another ttydevice or pseudotty. The
   snoop-tty becomes a 'clone' of the original tty, redirecting both input and output from/to it.

 Title: xc
 Authors: der Mouse <mouse@callatz.mcrcom.mcgill.edu>
 Abstract:

   I now have a program that behaves superfically like xconns, but with some significant
   differences: It uses RFC931 to display usernames, when the client host supports RFC931. It
   allows the user to freeze (and unfreeze) connections, or kill them, independent of the client,
   and very importantly independent of the server. The KillClient request can be used to
   forcibly disconnect a client from the server, but only if the client has created a resource,
   which (for example) neither xkey nor xcrowbar does. It monitors the connection, and if it
   sees certain dubious requests (currently configurable only by hacking on the source), it pops
   up a little menu with which the user can allow the request, have it replaced with a
   NoOperation request, or kill the connection. The dubious requests are, at present, requests
   to change the host access list, requests to enable or disable access control, and
   ChangeWindowAttributes requests operating on nonroot windows not created by the same
   client.


Aleph One / aleph1@underground.org 
Copyright &copy; 1996 Computer Underground Society. All rights reserved. 
