Manualshelf

User guide

ManualsBrandsQ-See ManualsComputer equipmentRemote Client Software V 4.0.1
31323334353637383940
36
Uploaded bytes
Downloaded bytes
Start time (Unix timestamp)
End time (Unix timestamp)
Length of session (in seconds)
Alerts can indicate many traffic anomalies including TCP data flows that occurred where more than a gigabyte of traffic
was detected within the flow, an unusual traffic pattern that could indicate malicious or non-compliant activity. Using this
information within the raw output enables the user to get a better picture of what actually happened during the session
and increases network traffic visibility.
When sending network traffic activity to the LCE, it is important to carefully consider the traffic source to monitor. The
amount of network logs generated while monitoring a busy T3, 100 Mb, or even Gigabit link can vastly outweigh the total
amount of firewall, web log and IDS logs. However, monitoring activity on key servers, key protocols, or even known
malicious IP addresses is extremely useful.
When used to aggregate syslog messages from another set of servers, make sure to specify the correct destination IP
addresses for the syslog messages. Otherwise, the Tenable Network Monitor may ignore syslog messages you
actually want gathered. Tenable also recommends deploying the TNM directly in front of or on any syslog gathering
servers.
The advantage of this is to work with the logs directly as they arrive from their source servers. syslog servers that
forward messages often add additional data in front of the log, which increases the overall log size. In addition, logs that
are forwarded often include source names for systems they may not be resolvable via DNS, making it harder to
understand which system generated a log file. Using the TNM to sniff logs in motion preserves the source IP address of
the original log.
Command Line Options
The tnmd binary has several command line options that are printed out when it is invoked with the help option. Here is
a list of the current options:
usage: ./tnmd [ -v ] [ -e ] [ -r <pcap file> ] [ -t <TCP timeout> ] [ expression ]
The v option displays the version of the TNM. The e will display the logs sent to the LCE on the local console via
stderr. The r option specifies a TCPDUMP binary file that can be used to send older logs to the LCE. The t option
specifies the amount of time of inactivity to be used by tnm before considering a TCP session dead. The last part of the
command line allows for specification of a specific packet filter. Command line filtering options must be enclosed in
quotation marks.
For example, the following command line can be used to run tnmd and log all network data except for UDP packets and
ports 80 and 6346.
# ./tnmd "not proto 17 and not port 80 and not port 6346" &
A list of decimal protocol enumerations is found here:
http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml
The tnmd is usually started via the network_monitor RC script in the system startup directory (for example,
/etc/rc.d/init.d on Red Hat Linux systems). To change the default packet filter in the startup script, edit this script
and go to the following entry on or about line 21: