The Network Security Toolkit has many useful command line scripts that allow the network security administrator easy access to the comprehensive set of Open Source Network Security Tools found in the NST distribution. The section will explore these scripts and demonstrate their usage with NST.
It is extremely important for
security related forensic analysis that all data captured or
logged by network infrastructure equipment throughout the
enterprise environment be time-stamped using a common reference
time synchronization standard. NST uses NTP (the
official reference implementation of the NTP protocol -
RFC 1305 and RFC 2030) to
accomplish this. Prior to running a security related application
or tool, one should startup NTP. NST is configured by
default to use the following time reference sources
ntp1.usno.navy.mil. (192.5.41.41) stratum:
1 and bonehed.lcs.mit.edu. (18.26.4.105)
stratum: 2 to achieve NTP time
synchonization. Reference clocks and other NTP
configuration paramters can be changed in:
/etc/ntp.conf.
The following caption shows one how to startup NTP and display useful NTP status on a NST probe.
[root@probe root]#/etc/init.d/ntpd startntpd: Synchronizing with time server: [ OK ] Starting ntpd: [ OK ]
[root@probe root]#ntpq -premote refid st t when poll reach delay offset jitter ============================================================================== *ntp1.usno.navy. .USNO. 1 u 33 64 37 170.601 19.034 3.833 +bonehed.lcs.mit NAVOBS1.MIT.EDU 2 u 28 64 37 28.038 14.585 3.469
[root@probe root]#ntptimentp_gettime() returns code 0 (OK) time c486a6d7.3fd7c000 Fri, Jun 25 2004 9:27:51.249, (.249386), maximum error 549609 us, estimated error 15516 us ntp_adjtime() returns code 0 (OK) modes 0x0 (), offset -208.000 us, frequency 124.953 ppm, interval 4 s, maximum error 549609 us, estimated error 15516 us, status 0x1 (PLL), time constant 2, precision 1.000 us, tolerance 512 ppm, pps frequency 0.000 ppm, stability 512.000 ppm, jitter 200.000 us, intervals 0, jitter exceeded 0, stability exceeded 0, errors 0.
[root@probe root]#ntpdate -dv 192.5.41.4114 Jul 08:36:53 ntpdate[5436]: ntpdate 4.1.1c-rc1@1.836 Thu Feb 13 12:17:20 EST 2003 (1) transmit(192.5.41.41) receive(192.5.41.41) transmit(192.5.41.41) receive(192.5.41.41) transmit(192.5.41.41) receive(192.5.41.41) transmit(192.5.41.41) receive(192.5.41.41) transmit(192.5.41.41) server 192.5.41.41, port 123 stratum 1, precision -19, leap 00, trust 000 refid [USNO], delay 0.26082, dispersion 0.06273 transmitted 4, in filter 4 reference time: c49fa762.50451398 Wed, Jul 14 2004 8:36:50.313 originate timestamp: c49fa766.e083434e Wed, Jul 14 2004 8:36:54.877 transmit timestamp: c49fa766.bc573a79 Wed, Jul 14 2004 8:36:54.735 filter delay: 0.41434 0.32225 0.29274 0.26082 0.00000 0.00000 0.00000 0.00000 filter offset: -0.09171 -0.05684 -0.03271 0.023662 0.000000 0.000000 0.000000 0.000000 delay 0.26082, dispersion 0.06273 offset 0.023662 14 Jul 08:36:54 ntpdate[5436]: adjust time server 192.5.41.41 offset 0.023662 sec
Start up the NTP daemon on a NST probe. | |
Display NTP peer status with its reference clocks. | |
Display time related NTP kernel values. | |
Display the local time offset in verbose mode from NTP server 192.5.41.41 using the ntpdate utility command without any adjustments to the local NST clock. |
There is also a bash shell alias to quickly start up the NTP service called: lntpd. This alias is demonstrated below:
[root@probe root]#lntpdntpd: Synchronizing with time server: [ OK ] Starting ntpd: [ OK ]
Note
NST's Web User Interface found in ??? can also be used to start up NTP. Look under the "System/General" section for "Services" and one can "Start/Stop" the "ntpd" daemon. One can also check the operational state of the "ntpd" daemon using the "NTP Info" and "NTP Query" links found under the "Networking/Time" section.