Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 18 Jun 2004 12:41:03 +0200
From:      Remko Lodder <remko@elvandar.org>
To:        Giorgos Keramidas <keramida@ceid.upatras.gr>
Cc:        Uwe Kolsch <uwe.kolsch@wax.co.uk>
Subject:   Re: IPFW log results analysis
Message-ID:  <40D2C6BF.2030505@elvandar.org>
In-Reply-To: <20040618103345.GA18531@orion.daedalusnetworks.priv>
References:  <LMEHIFLKDJOKILNLEFHPMEJAGEAA.uwe.kolsch@wax.co.uk> <20040618103345.GA18531@orion.daedalusnetworks.priv>
next in thread | previous in thread | raw e-mail | index | archive | help 
Jow,

Giorgos Keramidas wrote:

> On 2004-06-18 10:43, Uwe Kolsch <uwe.kolsch@wax.co.uk> wrote:
> 
>>Is there a tool for FBSD like logwatch on Linux, which can provide a detailed
>>but still somehow summarized output based on the logging results of IPFW. I mean
>>more detailed than this from the daily security run:
>>
>>
>>>02010    557     48486 deny log ip from any to any out
>>>10000   1026     49716 deny ip from any to any in setup
>>>10003   3859    828227 deny ip from any to any in
>>
>>... and more like this.
> 
> 
> You can always write your own shell scripts to parse ipfw logs ;-)
> 
> I haven't heard of any summarizing tools, but if you feel that scripting
> your own is too much it shouldn't be too hard to roll a few custom
> scripts if you tell me what you're looking for in such a report.


You can send your daily logs to dshield.org and they will give a daily 
overview over what you send. They will use your information to do ' 
distributed IDS '. That means if you get port probed and the person 
doing that hits your network and other networks regularly, there will be 
a warning send out to the ISP that this person is being very  abusive.

I use it myself, giving a match on my external interface and it will 
send just that.

Perhaps you can view their script, (perl), and adopt it to create the 
summary yourself.

> 
> - Giorgos

Cheers

-- 
Kind regards,

Remko Lodder                   |remko@elvandar.org
Reporter DSINet                |remko@dsinet.org
Projectleader Mostly-Harmless  |remko@mostly-harmless.nl

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40D2C6BF.2030505>