vt-ng vt-ng is a virus throttling daemon.
Download

vt-ng Ranking & Summary

vt-ng Tags

vt-ng Description

vt-ng is a virus throttling daemon. vt-ng project is a virus throttling daemon.SYNOPSISvt-ng < options > OPERATIONvt-ng detects virus and worm like activity based on communication patterns; It can be used to (1) detect infected hosts within your internal network and (2) stop the spread of maleware. Detection is based on the fact that maleware usually tries to initiate many connection to the out side network, for various reasons. May it be to "phone home", download further maleware or scan the net for other vulnerable hosts. The most common setup of vt-ng is on a gateway machine, such that all traffic originating in your internal network passes through vt-ngd (the vt-ng daemon). However, vt-ng may be installed on a single host, protecting this single host. We will call the machine on which vt-ng is installed the throttler vt-ng operates in the following way; for each IP address, ip, in the internal network, vt-ngd associates a packet queue. Each time a packet, p, either a UDP packet or a packet initiating a TCP connection, passes through the throttler, p is first transferred to vt-ngd. This is done with the help of the QUEUE target of iptables(8). When vt-ngd receives a packet p, vt-ngd follows the following rules: 1. check if the packet queue associated with the source address of p is throttled. If it is throttled, drop the packet. That is, inform the kernel to drop p and not send it. 2. if the queue is not throttled, accept p. That is, pass p back to the kernel for transmission. 2.1. Insert p into the packet queue, with a configurable delay, say 2 seconds. 2.2. If the packet queue is now either full or above a certain high-watermark, the packet queue is marked as throttled.Repeatedly, vt-ngd inspects all of the packet queues and removes packets which "served their time". E.g, if a packet was placed in a queue for a duration of 2 seconds, and at least 2 seconds have gone by, dequeue the packet from the queue. If the queue was marked as throttled, and the queue size is now below a certain low-watermark, vt-ngd un-throttles the queue. OPTIONS DETAILS-h, --help Print the usage syntax. -c, --config Specify a config file. A sample config file is provided in the distribution package. -d, --default-delay value The default time duration each packet is placed in a queue. Specific delays for specific IP addresses may be configured via the config file. -q, --default-queue-size value The default packet queue size. Specific queue sizes for specific IP addresses may be configured via the config file. --default-high-watermark value The default high-watermark value. Specific values for specific IP addresses be may be configured via the config file. --default-low-watermark value The default low-watermark value. Specific values for specific IP addresses be may be configured via the config file. -t, --default-hot-hosts value A list of the most recent IP addresses to which packets were destined is saved for each source IP. For each packet, prior to processing the packet, the destination address is inspected. If the destination packet is in the list, the packet is accepted and the queue logic is not observed. -a, --default-alert-script script Whenever a queue is throttled, this script is called. The following arguments are passed: 1. start/stop --> indicating if activity has started or stopped. 2. ip --> the originating ip which triggerred the detection. 3. port --> the associated port 4. ip --> the destination ip 5. port --> the destination port Different scripts for different source IP addresses may be specified in the config file. If no script is present either as default or for a specific ip, none will be executed.-s, --simulation Run in simulation mode. Never drop packets, but act as if you do. -p, --print-stat Print a status report to the console. --debug Run in debugging mode. Print more verbose information to the log. --log-to-stdout Log to stdout in addition to syslog.Requirements:· The Boost LibrariesWhat's New in This Release:· The logger is now thread safe.· A simple error in the configuration file parser was fixed.

vt-ng Related Software