Alert messages contain detailed information about individual logfile entries that have triggered a predefined condition as specified in a configuration file. For example, you may want to be notified about all telnet sessions that occurred between midnight and 6am, all ftp sessions that lasted longer than fifteen minutes, or all email messages that were larger than two megabytes. If you've really got Big Brother envy, or you're looking for some good blackmail material, you can even be notified whenever anyone browses a URL that contains an "objectionable" word. The list of objectionable words is customizable and can even contain regular expressions. Most alert conditions can be defined separately for each protocol. Alerts can be triggered in six different ways:
A traffic summary is a table of statistics that contains information such as number of hits, number of bytes sent, number of bytes received, total number of bytes, and duration of time connected. Summaries summarize all non-filtered logfile entries, regardless of alert settings. Reptor can generate different types of summaries, each individually configurable. Types of summaries include:
If your firewall server has more than two network interfaces, Reptor can be configured to process only traffic flowing in certain directions and/or only traffic flowing between certain interfaces.
All options are read from a configuration file at runtime. By default, this file is named reptor.cfg. Before using Reptor, you must create at least one configuration file. A sample reptor.cfg is included in the Reptor distribution, and documentation is available on the configuration page.
Reptor generates HTML output. It can obtain logfiles from STDIN, the local filesystem, or through the remotelog utility that is shipped with the firewall. It can output to STDOUT, the local filesystem, to an FTP server, or to an SMTP server. Interesting combinations of these include, but are not limited to, the following situations:
--config file
--date date
--dir directory
--help
--ignore
--log file
--verify
--version
If you're really intent on this sort of thing, here are some nearly meaningless benchmarks. Each of these tests were run with a fair number of alert triggers, but no DNS lookups.
Hardware | OS | Load | Speed |
---|---|---|---|
150MHz Pentium | Linux | mild | 10Mb/min |
300MHz Pentium II | NT Workstation | none | 25Mb/min |
400MHz Pentium II | Linux | none | 40Mb/min |