RTM: flow-based network monitoring (opens in new tab)

(rtm.rdit.ch)

33 pointsEnte10y ago12 comments

12 comments

RUAG was hacked over a year ago an didn't notice until recently when the intelligence agency informed them. It's a huge scandal here.

http://www.swissinfo.ch/eng/ruag-affair_sensitive-personal-i...

http://www.blick.ch/news/wirtschaft/beunruhigender-hack-wie-...

EnteOP10y ago

you're right. An other example why it's a good idea to invest into smart people supported by good products in order to defend against such attacks. From my personal point of view, the risk of a data-breach is beeing underestimated in almost all companies. Which leads toh harsh budget restrictions for security responsibles.

Note: in my opinion Blick.ch [1] is not the best ressource for information. Please consider [2], [3].

[1]: http://www.blick.ch/ [2]: http://www.derbund.ch/wissen/technik/organisation/ruag/s.htm... [3]: http://www.nzz.ch/nzzas/cyber-attacke-gegen-ruestungskonzern...

xs10y ago

Wait. How do I actually download this and where's the documentation?

EnteOP10y ago

Currently this is more of an ad-page for a propietary product. Devs are 'in discussion' with management in order to make the product available for a wide public audience. Actually the goal is a (at least) partial open source commitment.

- stay tuned

lafay10y ago

Kentik (http://www.kentik.com) is doing something very similar, as a cloud-based service or on-prem cluster. Accepts standard flow formats (netflow, sflow, IPFIX) from routers and switches, and also "augmented" flow from nprobe running on hosts or sensors.

xs10y ago

How does this differ from Silk+Flowbat?

detaro10y ago

Links for those that hadn't heard about that pair before (like me):

https://tools.netsa.cert.org/silk/

http://www.flowbat.com/

jawn-10y ago

Judging from screenshots, RTM does a deeper level of packet inspection than netflow based system (silk/flowbat).

As Silk/Flowbat are based on netflow records, which doesn't inspect the traffic passing across the network. It just records surface level information about the traffic. Source/Dest ports and addresses, UDP vs TCP and length and size of the conversation.

Deeper packet inspection probably results in rtm being able to inspect less traffic. Though depending on how RTM is written and the network drivers being used and your network size, you still might be able to have this monitor your egress points.

EnteOP10y ago

You're right. RTM, or rather, its internal flow assembling component RTS can be extended with plugins in order to extract and append more information for a flow. For example there are plugins for:

* regex matching * tcp state machine following * http * dns * bgp * smtp * icmp * pcap splitting by flows * ...

Using them will have an impact on performance, which is why there are no numbers regarding speed on this page. It's always a fit between: what one can see and what one wants to see. It's beeing sold as a privacy feature ;). Nevertheless a security expert has to configure the software so that it fits the environment.

In contrast to other projects, the general assumption is that RTM is not the 'one solution you implement and you're secure' but rather a platform on which you can build your security upon.

Sorry for the generic answer: I don't know Silk/Flowbat well enough in order to provide a in depth comparison.

mhurron10y ago

> Flowbat

Thank you for that.

ollybee10y ago

fastnetmon is another solution for this https://github.com/pavel-odintsov/fastnetmon

mansilladev10y ago

#SWISSNESS

j / k navigate · click thread line to collapse

12 comments

sschueller10y ago

RUAG was hacked over a year ago an didn't notice until recently when the intelligence agency informed them. It's a huge scandal here.

http://www.swissinfo.ch/eng/ruag-affair_sensitive-personal-i...

http://www.blick.ch/news/wirtschaft/beunruhigender-hack-wie-...

EnteOP10y ago

Note: in my opinion Blick.ch [1] is not the best ressource for information. Please consider [2], [3].

[1]: http://www.blick.ch/ [2]: http://www.derbund.ch/wissen/technik/organisation/ruag/s.htm... [3]: http://www.nzz.ch/nzzas/cyber-attacke-gegen-ruestungskonzern...

xs10y ago

Wait. How do I actually download this and where's the documentation?

EnteOP10y ago

- stay tuned

lafay10y ago

xs10y ago

How does this differ from Silk+Flowbat?

detaro10y ago

Links for those that hadn't heard about that pair before (like me):

https://tools.netsa.cert.org/silk/

http://www.flowbat.com/

jawn-10y ago

Judging from screenshots, RTM does a deeper level of packet inspection than netflow based system (silk/flowbat).

EnteOP10y ago

You're right. RTM, or rather, its internal flow assembling component RTS can be extended with plugins in order to extract and append more information for a flow. For example there are plugins for:

* regex matching * tcp state machine following * http * dns * bgp * smtp * icmp * pcap splitting by flows * ...

In contrast to other projects, the general assumption is that RTM is not the 'one solution you implement and you're secure' but rather a platform on which you can build your security upon.

Sorry for the generic answer: I don't know Silk/Flowbat well enough in order to provide a in depth comparison.

mhurron10y ago

> Flowbat

Thank you for that.

ollybee10y ago

fastnetmon is another solution for this https://github.com/pavel-odintsov/fastnetmon

mansilladev10y ago

#SWISSNESS

j / k navigate · click thread line to collapse