| Home |
| Projects |
| Pictures of Stuff |
| Atheism |
| Stuff I Like |
| Stuff I Hate |
| Web Design Tips |
| Start a Dot Com |
| Data Modeling |
| Taco Meat |
slim
Download the tarball (coming soon!)
The README:
Slim is a network monitor for Linux (x86). The concept is simple:
A file with a set of defined rules determines which types of packets are monitored by slim, and perform some action and/or log the packet information for those that meet the rule.
A rule is defined as a group of individual conditions that can apply to a packet. The goal of this program is to provide a very simple, yet flexible way to do network monitoring.
To Build and Install
--------------------
At the command prompt ($), enter the following:
$ tar xzf slim-VERSION.tar.gz
$ cd slim-VERSION
$ make
You can copy the slim binary to anywhere you'd like, or you can just leave it in the current directory. You must su to root to run the monitor.
Usage: slim [-u user] -r rulesfile [-o] [-p] [-v] [-h]
-u Specifies which user to run as. Must be specified only if -p isn't.
-r Specifies which rules file to user.
-o Set eth0 into promiscuous mode. Will only work if user is root.
-p Just parse and validate the rules file without starting the monitor.
-v Print version information and exit.
-h Print help screen and exit.
Example:
slim -u nobody -r /etc/slim/sample.rules
The list of rules are stored in the "rules file" in the following structure:
<rule>
key=value
.
.
.
</rule>
The key-value pairs denote various conditions you can define within a rule. Other options that can be used within a rule are also represented by key-value pairs. You may have as many rules as your system can handle. That would depend on the amount of RAM it has, or the amount of network traffic on the system. Keep in mind that the more rules you define in one file, the more processing slim must do. Rules files can have comments, with # being the comment character. For example:
# This is a comment.
--------------------------------------
Supported Conditions and Their Syntax:
--------------------------------------
1) protocol = value
Specifies the type of protocol to test for. Possible values for 'value' are:
IP
ICMP
IGMP
IPIP
TCP
EGP
PUP
UDP
IDP
RSVP
GRE
IPV6/4
PIM
RAW
For example:
protocol = TCP
2) source = value
Specifies the IP address for the source of the packet. For example:
source = 123.43.234.23
3) destination = value
Specifies the addess for the destination of the packet. For example:
destination = 123.43.234.23
4) dst_port = value
Specifies the destination port for the packet. For example:
dst_port = 80
5) src_port = value
Specifies the source port for the packet. For example:
src_port = 8065
6) packetsizegreaterthan = value
Specifies what size that packet should be bigger than in bytes. For example:
packetsizegreaterthan = 1024
7) substring = value
Specifies a substring to search for in the data region of the packet.
-----------------------------------
Supported Options and Their Syntax:
-----------------------------------
1) action = value
Specifies what to do if the above conditions are met within the rule. This can be the name of a program, or shell commands. For example:
action = /path/to/directory/script.shl&
OR,
action = echo You were pinged!
The action option can also accept certain special variables to include in the action value. The data contained in these variables is information captured by slim when a packet arrives. These are the current supported variables:
$IP_SOURCE_ADDR$ -- the IP address of the source of the packet
$IP_DESTINATION_ADDR$ -- The IP address of the destination of the packet
$RULE_NAME$ -- The name of the current rule
$DEST_PORT$ -- Destination port
$SOURCE_PORT$ -- Source port
These variables can be placed anywhere in the value for action. For example:
action = echo You were pinged by $IP_SOURCE_ADDR$
OR
action = mail -s "Security Alert: $IP_DESTINATION$ is the target of $RULE_NAME$" admin@server.com <server.log
2) actionthreshold = value
Specifies how many times a rule must be met before the action is performed. For example:
actionthreshold = 20
3) outputfile = value
Specifies where to log packet information for this rule. For example:
outputfile = /home/username/tcp_requests.out
© Copyright 2003 boz