specter 1.4 review

by rbytes.net on

specter is a user-space logging facility for the Linux netfilter system

License: GPL (GNU General Public License)
File size: 138K
Developer: Michal Kwiatkowski
0 stars award from rbytes.net

specter is a user-space logging facility for the Linux netfilter system. It uses netfilter's ULOG target to gather packets, and passes them to attached plugins.

Its features a flexible and robust modularized structure, and is based on ulogd, but has improved design and wider functionality.

It currently supports a basic set of network protocols (IP, TCP. UDP, and HTTP) and can save data as text or PCAP, or add it to MySQL or PostgreSQL databases.

If you're running Linux firewall and need fast and reliable logging software, specter is for you. No kernel patches are needed - it works with standard ipt_ULOG netfilter target module. Being userspace application it introduces much lower security and stability risk than any kernel module.

Keeping core simple and clean, specter's power lies in its plugins. You can not only define where the received packet data should go, but also how it should be interpreted. Although list of standard input and output plugins is wide, writting your own is a trivial task - code is vastly documented. All of these properties make specter an universal firewall logging utility.

specter is a free software, licensed under GPL. You can use it anyway you want, learn from the code, add your own enchancements and pass them further on, everything for free.

specter is based on Harald's Welte ulogd 1.02, but has a slightly different approach. Its modularized structure and highly-configurable parameters combined with neat netfilter's design gives you freedom in setting up your logging facility. You can not only save packets into files or databases, but also do other crazy things, like making your keyboard blink in case of high net traffic (or any other user-defined condition).

Currently it includes two new plugins: EXEC that executes given commands when packet is received and HTTP which parses http traffic. It also has extended configuration syntax, and possibility to divide packets into many execution blocks. You can learn more reading online documentation.

What's New in This Release:
fixed building with pgsql 8.0
updated documentation
commented out rare keys from doc/pgsql.table
added 'port' option to MYSQL and PGSQL
host, user and pass MYSQL options and user PGSQL option are no longer mandatory
added ssl connections support for MYSQL and PGSQL plugins
fixed structure initialization to allow build on gcc-4
added $PATH support to EXEC
added 'environment' option to EXEC
core --uid option split into --uid and --gid
packet handling fixes in BASE
fixed bad handling of open() returning an error in EXEC plugin (found by Grzegorz Bizon)
fixed ulog_test.c
added soname to libipulog shared library (fixed by Grzegorz Bizon)
log local time in printpkt.c if ulog time isn't available

specter 1.4 search tags