Summary: How to detect a user running a ftp job

From: Detlev Habicht (habicht@ims.uni-hannover.de)
Date: Wed Sep 09 1998 - 10:29:58 CDT

Hi all,

My question was:

  I have the problem, to detect a user, when he is running a special client,
  for example ftp. It is not possible for me to change the programs or to
  use something like a wrapper for the client. So i need something
  like snoop. But this tool must run the whole day (via cron for example)
  and has only to detect the special user and write this activity
  to a logfile or syslogd.

Perhaps my question wasn't very exact. I was looking for an easy to use
tool to catch packets in a network, analyze it and makes entrys for
syslog or and send mail under special conditions. Well, of course i
don't want to work very much to install such a tool.

I think i have to work. :-}

But i get some good hints.

A very good hint is Network Flight Recorder (NFR) at www.nfr.com. It is
free and may be a very good tool. When i have time i will test it.

Other hints are to use standard tools and make some scripts:

netstat -a:

This works on a UNIX box and is good to detect all connections and you can
see all used ports. But our problem is also using PCs.

snoop -d le0 -o /var/snoop.raw.out src myhost dst port 21:

This works also on a Sun. But our problem used also non standard ports.
So i have to check more than one port. But it is also possible to make
a script with this tool ...

Proxy server:

I get also the hint to use a proxy server. But we are at an university
and it is not possible to force the people here to use it ...

tcp-wrapper:

I think this works only for a server. But i have to check the clients.

Well, i think, to check the net means much work to have a useful tool
running in a good way. In former times i was using interman, etherman
and packetman from ftp://ftp.cs.curtin.edu.au/pub/netman. Nice tools,
but it is not possible to create alarms or thing like this.

Thanx to:

Shriman Gurung <SG@datcon.co.uk>
Steve Kay <steve@peachy.com>
"Brian T. Wightman" <wightman@acm.org>
"Mark Sherman [ Y2k Consultant ]" <marksh@funb.com>
"Robert G. Ferrell" <rferrell@usgs.gov>
Seth Rothenberg <SROTHENB@montefiore.org>
Dave McFerren <davem@solve.net>

Detlev 

-- 
 Detlev  | Institut fuer Mikroelektronische Systeme, Uni Hannover
 Habicht | D-30167 Hannover +49 511 7624992 habicht@ims.uni-hannover.de
 --------+-------- Handy    +49 172 5415752 ---------------------------

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:48 CDT