From ingvar at hexapodia.net Thu Jan 1 10:15:56 2009 From: ingvar at hexapodia.net (Ingvar) Date: Thu, 01 Jan 2009 10:15:56 +0000 Subject: [noctool-devel] Hm, may be time for a SLIGHT network protocol design Message-ID: Seems SHA1 is "recommended to be discontinued in 2010", since it is expected that the MD5 collision theories/algorithms can be partially re-used. Investigoating options at the moment (SHA256 may be a contender). //Ingvar From download at hpc.unm.edu Wed Jan 21 16:16:23 2009 From: download at hpc.unm.edu (Jim Prewett) Date: Wed, 21 Jan 2009 09:16:23 -0700 (MST) Subject: [noctool-devel] DISK-MONITOR class question Message-ID: Hi All, I'm cureous as to why the DISK-MONITOR class has the slots: DISK-USED & INODES-USED whose accessors are DISK-FREE and INODES-FREE and initargs are :DISK-FREE and :INODES-FREE. This seems a *tad* confusing to me, especially whereas df reports used blocks and available blocks and the DISK-USED slot seems to be storing the *free* blocks. The INODES-USED slot seems to be, at this point, unused, so I'm not sure if it is also backwards :) The naming does seem a bit strange as well. :) Jim James E. Prewett Jim at Prewett.org download at hpc.unm.edu Systems Team Leader LoGS: http://www.hpc.unm.edu/~download/LoGS/ Designated Security Officer OpenPGP key: pub 1024D/31816D93 HPC Systems Engineer III UNM HPC 505.277.8210 From ingvar at hexapodia.net Wed Jan 21 17:35:16 2009 From: ingvar at hexapodia.net (Ingvar) Date: Wed, 21 Jan 2009 17:35:16 +0000 Subject: [noctool-devel] DISK-MONITOR class question In-Reply-To: References: Message-ID: Jim Prewett writes: > Hi All, > > I'm cureous as to why the DISK-MONITOR class has the slots: DISK-USED & > INODES-USED whose accessors are DISK-FREE and INODES-FREE and initargs are > :DISK-FREE and :INODES-FREE. > > This seems a *tad* confusing to me, especially whereas df reports used > blocks and available blocks and the DISK-USED slot seems to be storing the > *free* blocks. I suspect this is one of those lovely artefacts that comes from "start coding, then think". It's probably best to just rename the slots, as I believe accessors and initargs all are "...-FREE" > The INODES-USED slot seems to be, at this point, unused, so I'm not sure > if it is also backwards :) The naming does seem a bit strange as well. :) They are, they possibly shouldn't be. Though inode starvation is much less common than storage starvation (unless you use lots of small files, with a file system that has an inode allocation for a much larger "average file" size). //Ingvar From ingvar at hexapodia.net Thu Jan 29 19:45:22 2009 From: ingvar at hexapodia.net (Ingvar) Date: Thu, 29 Jan 2009 19:45:22 +0000 Subject: [noctool-devel] Oooh! Shiny! [ predictive models of future behaviour ] Message-ID: Found the following after discussing the Snooper model for predicting "a run on this port was made on $Date" and I suspect it MAY, possibly, be worth considering for alert thingbobs in NOCtool: http://www.usenix.org/events/lisa2000/full_papers/brutlag/brutlag_html/index.html //Ingvar From annis at biostat.wisc.edu Thu Jan 29 19:54:04 2009 From: annis at biostat.wisc.edu (William Annis) Date: Thu, 29 Jan 2009 13:54:04 -0600 (CST) Subject: [noctool-devel] Oooh! Shiny! [ predictive models of future behaviour ] In-Reply-To: (message from Ingvar on Thu, 29 Jan 2009 19:45:22 +0000) References: Message-ID: <20090129195405.1BC9551FC51@cydonia.biostat.wisc.edu> >Found the following after discussing the Snooper model for predicting "a run >on this port was made on $Date" and I suspect it MAY, possibly, be worth >considering for alert thingbobs in NOCtool: Grr. Sorry. I was on the LISA program committee for this paper, and I thought it unnecessary to reproduce a paper that had already been done in 1993: http://www.usenix.org/publications/library/proceedings/cinci93/hoogen.html Here's some work I did: http://www.biostat.wisc.edu/~annis/mom3.old/stats/index.html The Hoogenboom and Lepreau paper uses Holt-Winters time series analysis, which is *much* easier to produce models for (fast to calculate, can be updated on the fly). At this point it seems like it should be a bare-minimum requirement for any monitoring tool. :) -- wm From annis at biostat.wisc.edu Thu Jan 29 20:23:46 2009 From: annis at biostat.wisc.edu (William Annis) Date: Thu, 29 Jan 2009 14:23:46 -0600 (CST) Subject: [noctool-devel] Oooh! Shiny! [ predictive models of future behaviour ] In-Reply-To: <20090129195405.1BC9551FC51@cydonia.biostat.wisc.edu> (message from William Annis on Thu, 29 Jan 2009 13:54:04 -0600 (CST)) References: <20090129195405.1BC9551FC51@cydonia.biostat.wisc.edu> Message-ID: <20090129202346.9BD9F51FCA0@cydonia.biostat.wisc.edu> I forget - cfengine also has some similar tools: http://www.iu.hio.no/~mark/papers/dsom2002.pdf This work is handled in the cfenvd, http://www.cfengine.org/confdir/cfenvd.html -- wm From ingvar at hexapodia.net Thu Jan 29 20:31:54 2009 From: ingvar at hexapodia.net (Ingvar) Date: Thu, 29 Jan 2009 20:31:54 +0000 Subject: [noctool-devel] Oooh! Shiny! [ predictive models of future behaviour ] In-Reply-To: <20090129195405.1BC9551FC51@cydonia.biostat.wisc.edu> References: <20090129195405.1BC9551FC51@cydonia.biostat.wisc.edu> Message-ID: William Annis writes: > >Found the following after discussing the Snooper model for predicting "a run > >on this port was made on $Date" and I suspect it MAY, possibly, be worth > >considering for alert thingbobs in NOCtool: > > Grr. > > Sorry. I was on the LISA program committee for this paper, > and I thought it unnecessary to reproduce a paper that had already > been done in 1993: > > http://www.usenix.org/publications/library/proceedings/cinci93/hoogen.html > > Here's some work I did: > > http://www.biostat.wisc.edu/~annis/mom3.old/stats/index.html > > The Hoogenboom and Lepreau paper uses Holt-Winters time series > analysis, which is *much* easier to produce models for (fast to > calculate, can be updated on the fly). At this point it seems like it > should be a bare-minimum requirement for any monitoring tool. :) Cool, I'll have a read through that too. Strangely enough, I was pointed at the paper when I was discussing a plain exponential-decay average, since that's what I used for the 2007-02-01 -- 2008-02-28 Snooper report (essentially "analysis of traffic directed at non-responding IP addresses", see http://www.hexapodia.net/snooper/report-20070201-20080229.pdf for more details if interested) and wondered if there was anything better around. In the Snooper analysis case, it's all done well after the fact, but there's such a mass of different data that I can't readily look at it myself but have to let a computer look, but "computational efficiency" isn't too much of a concern, if it takes a day to chomp through a year's worth of data (to try to find "massively increased activity"), that still drowns in the "search the net for vulnerabilities published around that time". I just find the intersection of applicable tools to different areas of interest fascinating. //Ingvar