SEMiSLUG Notes
12 February 1998
Question & Answer Sessions
- How did Peter get a neat NFR jacket?
- He gave them his best programmer.
- How do you use PGP with Netscape mail?
- No one's tried it. Netscape refuses to do it, due to their agreement
with Verisign.
- Looking for Netscape mail for Palm Pilot Pro?
- Nothing.
- Cirrus 5664 with XFree86?
- Talk to Troy. He's had a bit of experience with it.
- Linux for Sun weenies?
- Linux Bible. Redhat installation guide. Linux Network Administrator's
Guide. The most recent O'Reilly system administration book. Grep
the HOWTO files.
- How do you optimize throughput over PPP (Win95<=>Portmaster)? Reducing
ping times in general?
- Adjust the MTU and packet filters. Turn off compression. TCP window
size can be fiddled. See http://www.win95.com/ for more info.
Talk to the modem as fast as you can.
- Media One & cable modems: anything other than Win95?
- See http://people.qualcom.com/karn/ (Phil Karn) for someone who's
done this and made the source code available.
- SGI _is_ a big question mark?
- Only when it comes to who contacting SEMiSLUG.
- Jobs?
- Got something? Talk to Troy.
Need something? Talk to Chad about Microsoft. Talk to Troy (MS
Mail, Novell, AIX, routing, Linux). MJO may be trying to round up
contractors for Altair to abuse.
- Current version of Red Hat? Is X configuration any easier than with
Slackware?
- 5.0 is the most recent. Both have advantages and disadvantages when
it comes to X installation.
- Cheap HP workstations (PA/RISC) - got any? Know where to find any?
- If so, tell Troy.
- I'm getting duplicate SEMiSLUG announcements. How do I find out why?
- Send majordomo@semislug.mi.org a message containing:
which STRING
and you'll get back a list of addresses containing STRING and to
which mailing lists's they're subscribed. Contact Gabe if you
need more assistance.
- What's going to happen to MS users in 2000?
- Condemmed to flames.
- Has anyone got a video of the cream pie incident? With them?
- Chad has a copy.
- Netscape Confusionator's "Startup homepage override" - does anyone have
it working yet?
- Netscapes working on this problem.
- Anyone have SSL ftpd installed?
- Doesn't sound like it.
- Good reference for getting ssh up and running?
- Paul Haas just installed it and it worked. There's also a FAQ out
there somewhere. And while you're at it, start using tcpwrapper
for added security.
- Any experience with new Ultra 5 or 10 Suns?
- Some trade rag thinks they're overpriced. An Alpha box would
do them better.
- Is it possible from 4.1.3 to use something other than dd to mirror
a disk?
- tar? dump? Try GNU dd.
- Peter's Sun problem?
- Fix the shared libraries. Get the Sun FAQ. See resolv+.
- Why isn't Peter running OpenBSD on his Sparqs?
- AFS server.
- Samsung doodad that runs PCS?
- No one is familiar with it. It's a pen-based PDA.
- How do you run data over PCS?
- It's possible, but no details.
- Linux for palmtops?
- Didn't someone just say that Linux is running on a Palm Pilot?
Yes, it's out there.
- Commercial listservs?
- No one wants to support Majordomo any more. How about ListServ?
-
Presentation
Network Flight Recorder - Mike Stolarchuk
NFR is biulding software that sniffs the net and analyzes the results. The
goals are:
Make hackers miserable
Produce state of the art network management and security tools
Release them to the world
Support research
Sell commercial rights to our tools where demand exists
Have a good time
Determine how the network is being utilized
Intrusion Detection Systems:
Intrusion Detection
Burlar Alarms
Input Channels: Ethernet FDDI Other
Analysis: Traffic Analysis and <= WWW Interface
Output Channels: Histogram List/Log (other)
Has a language that is used to describe filters and analysis.
Usage and Deployment
Offsite Monitoring
Offsite (agreement based) audit
Records / transaction history
Network change detection and audit
Usage tracking ( Internet / intranet usage billing?)
Hacker hunting
Internal Architecture:
Highly modularized plugin/plug-out
Centralized engine
Detachable "packet suckers"
Detachable "recorder objects"
Modularized alert processing system
Queue and prioritiz alerts
Deliver them through multiple channels
Storage requirements depend on how much detail you keep; you decide how
bad it will be.
Performance is a big question
Estimate system should be capable of ~40-50Mb/s on a P200 w/64Mb RAM
Disk I/O will be the bottleneck (don't try to capture 100% of data)
NFR are still experimenting and doing performance tuning
NFR are currently using commodity hardware in an effort to force the
development to focus on improving the software.
NFR is better suited to auditing than intrusion detection at this point.
Remote auditing gets a bit hairy. Using multiple NFR's make managing
a network easier.
Those interested in trying NFR out should visit http://www.nfr.com/
to download it.
Currently running on BSD/OS, Solaris, Linux, HP/UX. NT should be available
in the next month or two.
Rumor & Inuendo