
RTM: flow-based network monitoring - Ente
https://rtm.rdit.ch/
======
sschueller
RUAG was hacked over a year ago an didn't notice until recently when the
intelligence agency informed them. It's a huge scandal here.

[http://www.swissinfo.ch/eng/ruag-affair_sensitive-
personal-i...](http://www.swissinfo.ch/eng/ruag-affair_sensitive-personal-
information-likely-hacked/42140796)

[http://www.blick.ch/news/wirtschaft/beunruhigender-hack-
wie-...](http://www.blick.ch/news/wirtschaft/beunruhigender-hack-wie-schlimm-
war-der-russen-angriff-auf-ruag-id4996353.html)

~~~
Ente
you're right. An other example why it's a good idea to invest into smart
people supported by good products in order to defend against such attacks.
From my personal point of view, the risk of a data-breach is beeing
underestimated in almost all companies. Which leads toh harsh budget
restrictions for security responsibles.

Note: in my opinion Blick.ch [1] is not the best ressource for information.
Please consider [2], [3].

[1]: [http://www.blick.ch/](http://www.blick.ch/) [2]:
[http://www.derbund.ch/wissen/technik/organisation/ruag/s.htm...](http://www.derbund.ch/wissen/technik/organisation/ruag/s.html)
[3]: [http://www.nzz.ch/nzzas/cyber-attacke-gegen-
ruestungskonzern...](http://www.nzz.ch/nzzas/cyber-attacke-gegen-
ruestungskonzern-ruag-russische-hacker-enttarnen-geheime-schweizer-
elitetruppe-ld.18562)

------
xs
Wait. How do I actually download this and where's the documentation?

~~~
Ente
Currently this is more of an ad-page for a propietary product. Devs are 'in
discussion' with management in order to make the product available for a wide
public audience. Actually the goal is a (at least) partial open source
commitment.

\- stay tuned

------
lafay
Kentik ([http://www.kentik.com](http://www.kentik.com)) is doing something
very similar, as a cloud-based service or on-prem cluster. Accepts standard
flow formats (netflow, sflow, IPFIX) from routers and switches, and also
"augmented" flow from nprobe running on hosts or sensors.

------
xs
How does this differ from Silk+Flowbat?

~~~
jawn-
Judging from screenshots, RTM does a deeper level of packet inspection than
netflow based system (silk/flowbat).

As Silk/Flowbat are based on netflow records, which doesn't inspect the
traffic passing across the network. It just records surface level information
about the traffic. Source/Dest ports and addresses, UDP vs TCP and length and
size of the conversation.

Deeper packet inspection probably results in rtm being able to inspect less
traffic. Though depending on how RTM is written and the network drivers being
used and your network size, you still might be able to have this monitor your
egress points.

~~~
Ente
You're right. RTM, or rather, its internal flow assembling component RTS can
be extended with plugins in order to extract and append more information for a
flow. For example there are plugins for:

* regex matching * tcp state machine following * http * dns * bgp * smtp * icmp * pcap splitting by flows * ...

Using them will have an impact on performance, which is why there are no
numbers regarding speed on this page. It's always a fit between: what one can
see and what one wants to see. It's beeing sold as a privacy feature ;).
Nevertheless a security expert has to configure the software so that it fits
the environment.

In contrast to other projects, the general assumption is that RTM is not the
'one solution you implement and you're secure' but rather a platform on which
you can build your security upon.

Sorry for the generic answer: I don't know Silk/Flowbat well enough in order
to provide a in depth comparison.

------
ollybee
fastnetmon is another solution for this [https://github.com/pavel-
odintsov/fastnetmon](https://github.com/pavel-odintsov/fastnetmon)

------
mansilladev
#SWISSNESS

