Network Monitoring SIG News

Around 60 attendees joined the 5th NM-SIG meeting 'Monitoring and Detection of Fast-Flux Service Networks'. The NM-SIG had invited 3 speakers to talk about this topic, namely David Watson(The Honeynet Project), Jose Nazario(Arbor Networks) and Christian Gorecki(University of Mannheim). David gave an introduction on Fast-Flux Service Networks. Jose talked about Fast-Flux detection via Arbor's project ATLAS. And Christian presented an approach to automate detection of Fast-Flux with certain metrics. The last part of the meeting was called 'Bring your demo'. Three people gave a short demo of network monitoring tools. Florian Weimer explained the approach of passive DNS replication, which also can be used to track Fast-Flux domains. Tillmann Werner gave a demo of 'Nebula', an intrusion signature generator. And Piotr Kijewski showed HoneySpider Network, a client honeypot solution. The feedback of this meeting was very positive and we hope to plan more of these meetings in the near future.

During the 20th annual FIRST conference in Vancouver (June 22-27, 2008), the Network Monitoring Special Interest Group (NM-SIG) is planning a meeting. During this meeting we would like to focus on the theme:

"Monitoring and Detection of Fast-Flux Service Networks"

We are looking for speakers who are interested to give a presentation about their tools and experiences regarding monitoring and detection of Fast-Flux Service Networks. If you are interested to give a presentation or if you know anyone who might be interesting to invite, you can the NM-SIG Chair Carol Overes (carol.overes@govcert.nl).

The very interactive 4th NM-SIG meeting was held on Wednesday 17th October in Noordwijk (NL), before the GOVCERT.NL-symposium. Around 14 people attended the meeting. With hindsight...

SWITCH-CERT has released nfdump-1.5.6. It includes:

  • Fix odd CISCO behaviour for ICMP type/code in src port.
  • Add fast LZO1X-1 compression option (-z) for output file.
  • Add lists for port in syntax -> port in [ 135 137 445]
  • Add lists for AS syntax -> as in [ 1024 1025 ]
  • Bug fix in filter for syntax 'src as and dst as'

The third meeting of the NM-SIG has been held on Thursday 21 June 2007, during the FIRST conference in Seville. Around 35 attendees joined discussions on various topics. The minutes of the meeting will be available for NM-SIG members soon.

CERT Polska updated the public interface of Arakis early warning system. Statistics from honeynets, darknets, firewalls and antivirus systems are now available, along with information about new packet payload seen on honeypots -- all in English.