VT-NG

NAME

Code

You can get the source from sourceforge

SYNOPSIS

[ -c --config]
[ -h --help]
[ -d --default-delay value]
[ -t --default-hot-hosts value]
[ -q --default-queue-size value]
[ --default-high-watermark value]
[ --default-low-watermark value]
[ -a --default-alert-script script]
[ -s --simulation]
[ -p --print-stat]
[ --debug]
[ --log-to-stdout]

OPERATION

vt-ng detects virus and worm like activity based on communication patterns; It can be used to (1) detect infected hosts within your internal network and (2) stop the spread of maleware.

Detection is based on the fact that maleware usually tries to initiate many connection to the out side network, for various reasons. May it be to "phone home", download further maleware or scan the net for other vulnerable hosts.

The most common setup of vt-ng is on a gateway machine, such that all traffic originating in your internal network passes through vt-ngd (the vt-ng daemon). However, vt-ng may be installed on a single host, protecting this single host. We will call the machine on which vt-ng is installed the throttler

vt-ng operates in the following way; for each IP address, ip, in the internal network, vt-ngd associates a packet queue. Each time a packet, p, either a UDP packet or a packet initiating a TCP connection, passes through the throttler, p is first transferred to vt-ngd. This is done with the help of the QUEUE target of iptables(8). When vt-ngd receives a packet p, vt-ngd follows the following rules:

1.

check if the packet queue associated with the source address of p is throttled. If it is throttled, drop the packet. That is, inform the kernel to drop p and not send it.

2.

if the queue is not throttled, accept p. That is, pass p back to the kernel for transmission.

2.1.

Insert p into the packet queue, with a configurable delay, say 2 seconds.

2.2.

If the packet queue is now either full or above a certain high-watermark, the packet queue is marked as throttled.

Repeatedly, vt-ngd inspects all of the packet queues and removes packets which "served their time". E.g, if a packet was placed in a queue for a duration of 2 seconds, and at least 2 seconds have gone by, dequeue the packet from the queue. If the queue was marked as throttled, and the queue size is now below a certain low-watermark, vt-ngd un-throttles the queue.

OPTIONS DETAILS

-h, --help

Print the usage syntax.

-c, --config

Specify a config file. A sample config file is provided in the distribution package.

-d, --default-delay value

The default time duration each packet is placed in a queue. Specific delays for specific IP addresses may be configured via the config file.

-q, --default-queue-size value

The default packet queue size. Specific queue sizes for specific IP addresses may be configured via the config file.

--default-high-watermark value

The default high-watermark value. Specific values for specific IP addresses be may be configured via the config file.

--default-low-watermark value

The default low-watermark value. Specific values for specific IP addresses be may be configured via the config file.

-t, --default-hot-hosts value

A list of the most recent IP addresses to which packets were destined is saved for each source IP. For each packet, prior to processing the packet, the destination address is inspected. If the destination packet is in the list, the packet is accepted and the queue logic is not observed.

-a, --default-alert-script script

Whenever a queue is throttled, this script is called. The following arguments are passed:

1.

start/stop --> indicating if activity has started or stopped.

2.

ip --> the originating ip which triggerred the detection.

3.

port --> the associated port

4.

ip --> the destination ip

5.

port --> the destination port

Different scripts for different source IP addresses may be specified in the config file. If no script is present either as default or for a specific ip, none will be executed.

-s, --simulation

Run in simulation mode. Never drop packets, but act as if you do.

-p, --print-stat

Print a status report to the console.

--debug

Run in debugging mode. Print more verbose information to the log.

--log-to-stdout

Log to stdout in addition to syslog.

AUTHORS

Nir Tzachar <nir.tzachar@gmail.com>
Based on a discontinued hp product, called hp-vt

Index

NAME

SYNOPSIS

OPERATION

OPTIONS DETAILS

AUTHORS