ASDIC

FAQ



What is ASDIC

ASDIC is a traffic analysis system. It's your eye on the network. It will show you what's going on in your networks.

Is ASDIC free? Is it GPL?

ASDIC is not Open source. ASDIC is not GPL. ASDIC is copyrighted by Ping Research. For professional but non-profit use, you will in general qualify for a license free of charge. Read more about licensing.

Is the downloadable version of ASDIC crippled?

The only restriction in the downloadable non-profit version of ASDIC is a water mark in the graphs "for non-profit use only".

Can ASDIC be used in really large networks?

Yes. It is in really large networks ASDIC is needed, because you can impossible keep track of it without it. A single ASDIC monitor can process hundreds of thousand log entries per second.

Why does ASDIC run slow?!

ASDIC runs very fast, but low on memory it basically halts. If the ASDIC process gets a RSS the same size as the available RAM memory, get more memory, lower "KEEP" in /etc/default/asdic and/or run expunge (see crontab) more frequent. On a quad core CPU, the ASDIC log parser runs faster than grep if not limited by low memory.

Why does ASDIC require a dedicated machine and so much ram memory?

ASDIC uses statistics during the decision process creating new traffic pattern aggregates. Basically every new unclassified session it sees is compared with every single session ever seen. To make this possible a speed/memory trade-off is done favoring speed at the expense of memory.

What is the scale in the report graphs?

The scale shows the number of packets or sessions per sample interval. The default sample interval is 15 minutes, configurable in the /etc/asdic/default file. Each sample interval is shown as an one pixel wide column and with 15 minute samples, the graph will reach back about 64 hours in time.

What is the typical ASDIC customer like?

It's a large company with lots of networks, routers and firewalls need to keep track of the network traffic to ensure functionality and security.

Who are the typical ASDIC operators?

ASDIC is a tool analyzing logs and traffic information. The ASDIC users are familiar with TCP/IP and firewall logs and understand how to read them. ASDIC helps them examine gigabytes of log data at the same time it would have taken reading just a few log entries. Still they needs the skills to understand what the log data represents.

Is my firewall log format supported?

Very likely. You can in ASDIC specify exactly the syntax of your firewall log in a very flexible way. It does not even need to have a fix field order. It need to log the ip addresses and ports numeric and not symbolic (e.g. "25", not "smtp"). Read more in the manual page about loginput. Templates for Firewall-1, Stonegate, cisco PIX and router ACLs, firewallbuilder/iptables and a few more are shipped within the ASDIC distribution. If you encounter a firewall log not possible to parse, please let us know.

Who do not ASDIC resolve IP addresses with DNS?

Several reasons. DNS is not reliable. An in-addr.arpa lookup may give arbitrary name controlled by others, and it might change from time to time. Neither it is unique. Further more it may be very slow, slowing down the reports. In the case of forensics it also gives away information to the intruder that we are aware of the traffic / addresses in question, since the intruder may watch his own DNS.

Future versions of ASDIC may implement a local host name database to circumstance the issues above.

Why don't ASDIC run on Windows/VMS/TOPS20/my favorite OS?

ASDIC requires a dedicated server. You don't run ASDIC on your workstation. On the other hand, you probably need only one ASDIC server for your entire network. Because of this, we don't feel the need supporting lots of different operating systems. ASDIC can of course analyze data origin from other OS like Windows etc, as long it is fed into the system, but the ASDIC engine itself will never run on Windows. You can access ASDIC via the web interface from any computer supporting a modern web browser.

ASDIC is a binary distributed closed source. How can I trust ASDIC?

Don't. Make sure you use other means to protect access both to and from the ASDIC system. As in all other software, there are program bugs in ASDIC as well. Limit the traffic to and from the ASDIC system with iptables/firewalls, and protect access to it with apache authentication over https, stunnel for syslog etc.

Are you looking for business partners?

Yes, please contact Ping Research. We are looking for partners selling ASDIC installations as well as traffic analysis services based on the ASDIC system.

Ping Research

ASDIC

Android