Monday, May 25, 2015

Leg Work

I always wanted to write a program that took forever to run just due to the amount of processing it did.  Now, I think I’ve got one. 

Unless I remember to run the thing frequently, it takes about 85 minutes to process through all the files I’ve collected to watch the status of my network.  That’s not pleasant, but it’s working on getting better.  It shouldn’t take as long the next time, as I’ve written in a few checks and balances that prevent it from re-checking every single file over again.  I end up running a “select everything and see if you return nothing” comparison.  Afterwards, I move the folder off to a different directory to archive and eventually clean up that directory.

Which, all of that seems to be working properly.  For the most part.  There are still some issues I need to debug, and some error conditions that need to be solved.  But it’s working better than it did.  The second part is that I’ve finally got it to where it will take multiple input units in the same file, so you don’t have to have multiple scripts logging in every five minutes.  The next part is to start working on NAT table translating and interpretation.  I’m not sure how I want to do that as of yet.  Show ip nat translations gives all the translations, but is that enough information?   What else would I want?

I think that’s the basic problem of all network security people.  You want to gather information, but it begs the question of what the correct amount of information is, and what really needs stored.  And there is always the question of when enough is enough.  

Flipping back through my Cisco book, it looks like I’m going to need show ip nat translations verbose for several different reasons.  The main reason is that is tells when that connection was last used, and that’s vital to proper identification of what has happened.  It provides the “when” and “how long” needed to trace information back to the source.

Show ip nat translations just gives a static view of an event that happened. The connection could have lasted for seconds or it could have lasted for hours.  There is no way to tell.  So the need is to translate the verbose method of the call.  

Where do I go from there?  I don’t know.  At some point I’ve got to figure out how make Apache work the way I want it to.  But that?  That’s another day.


Note: bold notations are specific Cisco commands.  

No comments:

Post a Comment