Blogging from USENIX 2005

I flew from my home in northern Virginia to Anaheim, CA this morning to attend part of USENIX 2005. I managed to join Practical System and Network Monitoring by John Sellens of Syonex. I looked forward to this talk because I typically do not deal with the network performance side of monitoring.

John had to rush the end of his talk because he spent too much time discussing network monitoring projects that he did not recommend or didn't like. I still found his content useful, and I expect his talk tomorrow on System and Network Monitoring: Tools in Depth to be rewarding. Probably the most important lesson from his talk was the need to try out Nagios. I also started thinking about interesting ways to use Net-SNMP to retrieve information from systems running SNMP agents.

John explained that no one has written a definitive text on network performance monitoring. Perhaps I will tackle that subject in the future, or will integrate the key theories, tools, and techniques into a future edition of one of my existing book lines?

Finally, in the spirit of Aaron Higbee's recent Secureme blog rant on conference attendees, I offer this thought. What's the deal with people who attend conferences, especially day-long tutorial sessions, but never look up from their laptop? I bet 1/4 to 1/3 of the people in my session spent more than half their time staring at the LCD screens while John spoke. I guess these attendees don't care to concentrate on the speaker's message when the attendees aren't paying for the privilege of being in a class. Alternatively, if you already know the material, why sit through the class at all?

If you're attending USENIX too, stop by my Thursday class Network Security Monitoring with Open Source Tools. I think I'll also be signing copies of my book on Thursday during class breaks or lunch.

Comments

Anonymous said…
If you are interested in Nagios, I highly recommend checking out Zabbix. Like Nagios, you define events and setup constraints on what the expected results should be. Unlike Nagios, Zabbix records the full results data, which is almost always numbers, like the # of seconds a plug-in or command took to run, load, number of swapouts per second. Using this data, you can generate graphs and trend data just like mrtg or cricket.

Also unlike Nagios, you don't have to write plug-ins to check items and exit with a certain code. You simply tell Zabbix to run a command on a remote host, such as:

vmstat | awk '{ print $9 }' | tail -1

.. and then in the web interface define what numbers should trigger certain events.

Zabbix is fairly new, and honestly, only the 1.1 alpha's are really worth it, but it's something to keep an eye on in the next 6-12 months. I've migrated my network from Nagios to it so I wouldn't have to setup mrtg/cricket on all of the hosts to gather trend data.
11:41 PM
Anonymous said…
I've noticed the same sort of thing about conference attendees...get in a room full of people, and you'll notice a good number of them glued to their laptops...checking email, doing IM, etc. I can see if someone comes into the back of the room and takes a seat away from everyone else...they may simply be trying to get something done.

Another thing that gets me is the guys (and yes, it's always been guys, women don't seem to do this...) who huddle around a laptop and chatter away while you're presenting, and then ask, "what happens if...?" My stock response is something along the lines of, "why don't you try it and then share your results with us?" After all, you've got a system right there to try it on!

I agree with you, though...why sit in on a presentation if you already know the info, and all you're interested in doing is checking your email/IM?

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
6:24 AM
Anonymous said…
I've got /my/ answer to your conference attendee complaint -- I'm in the lecture because I'm desperately hoping to learn something new and interesting, but because I likely won't and don't want to waste the time, I'll work on something else while I'm there, keeping one ear half-open with a filter for new and interesting things.


jsyn
2:40 AM
Post a Comment

Popular posts from this blog

Zeek in Action Videos

Image
This is a quick note to point blog readers to my Zeek in Action YouTube video series for the Zeek network security monitoring project .  Each video addresses a topic that I think might be of interest to people trying to understand their network using Zeek and adjacent tools and approaches, like Suricata, Wireshark, and so on.  I am especially pleased with Video 6 on monitoring wireless networks . It took me several weeks to research material for this video. I had to buy new hardware and experiment with a Linux distro that I had not used before -- Parrot .  Please like and subscribe, and let me know if there is a topic you think might make a good video.
Read more

MITRE ATT&CK Tactics Are Not Tactics

Image
Just what are "tactics"? Introduction MITRE ATT&CK  is a great resource, but something about it has bothered me since I first heard about it several years ago. It's a minor point, but I wanted to document it in case it confuses anyone else. The MITRE ATT&CK Design and Philosophy document from March 2020 says the following: At a high-level, ATT&CK is a behavioral model that consists of the following core components: • Tactics, denoting short-term, tactical adversary goals during an attack; • Techniques, describing the means by which adversaries achieve tactical goals; • Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques; and • Documented adversary usage of techniques, their procedures, and other metadata. My concern is with MITRE's definition of "tactics" as "short-term, tactical adversary goals during an attack," which is oddly recursive. The key word in the tacti
Read more

New Book! The Best of TaoSecurity Blog, Volume 4

Image
  I've completed the TaoSecurity Blog book series . The new book is  The Best of TaoSecurity Blog, Volume 4: Beyond the Blog with Articles, Testimony, and Scholarship .  It's available now for Kindle , and I'm working on the print edition.  I'm running a 50% off promo on Volumes 1-3 on Kindle through midnight 20 April. Take advantage before the prices go back up. I described the new title thus: Go beyond TaoSecurity Blog with this new volume from author Richard Bejtlich. In the first three volumes of the series, Mr. Bejtlich selected and republished the very best entries from 18 years of writing and over 18 million blog views, along with commentaries and additional material.  In this title, Mr. Bejtlich collects material that has not been published elsewhere, including articles that are no longer available or are stored in assorted digital or physical archives. Volume 4 offers early white papers that Mr. Bejtlich wrote as a network defender, either for technical or pol
Read more