[Full-disclosure] Monitoring for Sober.Y with Squid and swatch

From: "Gaddis, Jeremy L." <jeremy@xxxxxxxxxxxx>
Date: Thu, 05 Jan 2006 22:35:21 -0500

Here's an article I just wrote up real quick on how to monitor for Sober.Y HTTP activity (set to begin at midnight 06-Jan-2006) using the Squid proxy server and swatch.

Example configurations are provided. These are the swatch config entries that I am using for monitoring Squid's access.log files for (some of?) the hosts that Sober.Y is known to utilize and send alerts to my e-mail and company pager.

I took the hosts from SANS' list on ISC. If there are any hosts that I've missed, please do let me know.

The article can be found at http://www.jeremygaddis.com/

Thanks,
-j

--
Jeremy L. Gaddis, GCWN, Linux+, Network+
LinuxWiz Consulting
http://www.linuxwiz.net/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] RE: what we REALLY learned from WMF
Next by Date: Re: [Full-disclosure] infosecbofh
Previous by thread: [Full-disclosure] Did MS pull an Ilfak? (MS patch bindiff results)
Next by thread: [Full-disclosure] RECON2006 - Call for paper
Index(es):
- Date
- Thread

Relevant Pages

Re: Bandwidth monitoring
... You could certainly implement this using ipfw ... but only if you wanted to add one firewall rule for each ... were willing to tweak and sample the firewall rules on each of the hosts. ... I use it to monitor inbound and outbound ...
(freebsd-net)
Monitoring for Sober.Y with Squid and swatch
... Here's an article I just wrote up real quick on how to monitor for Sober.Y HTTP activity using the Squid proxy server and swatch. ... I took the hosts from SANS' list on ISC. ... The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. ... Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. ...
(Security-Basics)
ANN: SkipoleMonitor0.2 released
... SkipoleMonitor is available at http://code.google.com/p/skipole-monitor/ ... SkipoleMonitor is a free network monitor for Windows and Linux. ... Monitor will regularly ping, showing the results via a built-in Web server. ... Hosts can be grouped, so the Web server will show group symbols that the ...
(comp.lang.python.announce)
Re: nagios check_ssh, check_oracle via Web
... > hosts (Linux, Solaris, and Windows) using check_ssh THROUGH the WEB ... I guess you try to monitor the SSH deamon? ...
(comp.os.linux.networking)
Network Monitor released
... SkipoleMonitor is available at http://code.google.com/p/skipole-monitor/ ... Monitor will regularly ping, showing the results via a built-in Web server. ... Hosts can be grouped, so the Web server will show group symbols that the ...
(microsoft.public.win2000.networking)