Introduction

If you're running Linux firewall and need fast and reliable logging software, specter is for you. No kernel patches are needed - it works with standard ipt_ULOG netfilter target module. Being userspace application it introduces much lower security and stability risk than any kernel module. Keeping core simple and clean, specter's power lies in its plugins. You can not only define where the received packet data should go, but also how it should be interpreted. Although list of standard input and output plugins is wide, writing your own is a trivial task - code is vastly documented. All of these properties make specter an universal firewall logging utility.

Essential links

If you're not comfortable using Launchpad, you can always send bug reports, suggestions and questions directly to me. Simply drop me a message to michal@trivas.pl.

Download

Compile from stable source

Get specter-1.5.tar.gz and follow instructions in the INSTALL file.

Debian / Ubuntu

If you're on Debian or Ubuntu all you have to do is:

sudo apt-get install specter specter-mysql specter-pgsql

and you're done. Check the documentation and modify your configuration in /etc/specter.conf.

Compile from latest development source

To checkout latest source use Bazaar:

bzr branch http://bazaar.launchpad.net/~ruby/specter/trunk

Slackware

The package is somewhat old, but still worth a try: specter-1.4-pre2-i486-1.tgz.

Migrating from ulogd?

Use ulogd2specter.pl script to convert ulogd configuration files into specter's.

License

Specter is free software, licensed under GPL. You can use it anyway you want, learn from the code, add your own enchancements and pass them further on, everything for free. Full text of license is available here.

A bit of history

Specter is based on Harald's Welte ulogd 1.02, but has a slightly different approach. Its modularized structure and highly-configurable parameters combined with neat netfilter's design gives you freedom in setting up your logging facility. You can not only save packets into files or databases, but also do other crazy things, like making your keyboard blink in case of high net traffic (or any other user-defined condition).

Currently it includes two new plugins: EXEC that executes given commands when packet is received and HTTP which parses http traffic. It also has extended configuration syntax, and possibility to divide packets into many execution blocks. You can learn more reading online documentation. Still curious? Read the discussion that followed the first release, which can help you in understanding some aspects of specter's design and decisions I've made. If you consider moving from ulogd, there's a script attached to convert your current config into specter's.