From mboxrd@z Thu Jan 1 00:00:00 1970 From: Lev Stipakov Subject: Re: Auditing network traffic Date: Thu, 21 Jan 2016 11:49:13 +0200 Message-ID: <56A0A999.9090401@gmail.com> References: <27424530.ASkzcua8kM@x2> <3655233.WIOkSfVQiu@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Format="flowed" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.26]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u0L9nVqC032142 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 21 Jan 2016 04:49:31 -0500 Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) by mx1.redhat.com (Postfix) with ESMTPS id 5B85E8E390 for ; Thu, 21 Jan 2016 09:49:30 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1aMBro-0001gd-MK for linux-audit@redhat.com; Thu, 21 Jan 2016 10:49:24 +0100 Received: from 194.100.33.82 ([194.100.33.82]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 21 Jan 2016 10:49:24 +0100 Received: from lstipakov by 194.100.33.82 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Thu, 21 Jan 2016 10:49:24 +0100 In-Reply-To: <3655233.WIOkSfVQiu@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Hi Steve, Thank you for your comments! It seems that AUDIT target is better option than hooking syscalls and managing fds. I don't have to look inside traffic, just src/dest and bytes count is enough for me. What would be the performance implications of that approach comparison to, say, libpcap option? Mostly I am concerned about logging part - seems that every packet produces NETFILTER_PKT record. I could not find any way to disable that, except probably disabling logging all together but that will break ausearch. -Lev