I always wanted to write a program that took forever to run
just due to the amount of processing it did.
Now, I think I’ve got one.
Unless I remember to run the thing frequently, it takes
about 85 minutes to process through all the files I’ve collected to watch the
status of my network. That’s not
pleasant, but it’s working on getting better.
It shouldn’t take as long the next time, as I’ve written in a few checks
and balances that prevent it from re-checking every single file over
again. I end up running a “select
everything and see if you return nothing” comparison. Afterwards, I move the folder off to a
different directory to archive and eventually clean up that directory.
Which, all of that seems to be working properly. For the most part. There are still some issues I need to debug,
and some error conditions that need to be solved. But it’s working better than it did. The second part is that I’ve finally got it
to where it will take multiple input units in the same file, so you don’t have
to have multiple scripts logging in every five minutes. The next part is to start working on NAT
table translating and interpretation.
I’m not sure how I want to do that as of yet. Show
ip nat translations gives all the translations, but is that enough
information? What else would I want?
I think that’s the basic problem of all network security
people. You want to gather information,
but it begs the question of what the correct amount of information is, and what
really needs stored. And there is always
the question of when enough is enough.
Flipping back through my Cisco book, it looks like I’m going
to need show ip nat translations verbose
for several different reasons. The main
reason is that is tells when that connection was last used, and that’s vital to
proper identification of what has happened.
It provides the “when” and “how long” needed to trace information back
to the source.
Show ip nat
translations just gives a static view of an event that happened. The
connection could have lasted for seconds or it could have lasted for
hours. There is no way to tell. So the need is to translate the verbose
method of the call.
Where do I go from there?
I don’t know. At some point I’ve
got to figure out how make Apache work the way I want it to. But that?
That’s another day.