From owner-freebsd-security  Fri Jun 27 09:17:02 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id JAA29702
          for security-outgoing; Fri, 27 Jun 1997 09:17:02 -0700 (PDT)
Received: from cs.iastate.edu (cs.iastate.edu [129.186.3.1])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA29695
          for <security@FreeBSD.ORG>; Fri, 27 Jun 1997 09:17:00 -0700 (PDT)
Received: from domino.cs.iastate.edu (domino.cs.iastate.edu [129.186.3.92]) by cs.iastate.edu (8.8.5/8.7.1) with ESMTP id LAA05629; Fri, 27 Jun 1997 11:16:52 -0500 (CDT)
Received: from localhost (ghelmer@localhost) by domino.cs.iastate.edu (8.8.5/8.7.1) with SMTP id LAA14536; Fri, 27 Jun 1997 11:16:50 -0500 (CDT)
X-Authentication-Warning: domino.cs.iastate.edu: ghelmer owned process doing -bs
Date: Fri, 27 Jun 1997 11:16:48 -0500 (CDT)
From: Guy Helmer <ghelmer@cs.iastate.edu>
Reply-To: Guy Helmer <ghelmer@cs.iastate.edu>
To: chas <sweeting@tm.net.my>
cc: security@FreeBSD.ORG
Subject: Re: how can we monitor in real time ? (was Re: probing from  jrc-5-104.tm.net.my)
In-Reply-To: <3.0.32.19970627224059.009cece0@mail.tm.net.my>
Message-ID: <Pine.HPP.3.96.970627104900.28536A-100000@domino.cs.iastate.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Fri, 27 Jun 1997, chas wrote:

> I sent along a bit of info on this one earlier but it
> did prompt me to wonder :
> 
> "how can we check for this info (and DoS attackes or
> similar) in real time rather than afterwards in log files ?
> is there any software that can be configured to monitor
> your server and shout when it is possibly coming under
> attack ?"

A simple method would be to log ipfw and tcp-wrappers (after having
wrapped all TCP services in /etc/inetd.conf) messages, then use swatch
(monitors logs using a given ruleset in real time; available as a port) to
mail/page/shout/whatever when something unusual starts happening.

[FreeBSD on a system with a soundcard and the rsynth port could make an
amusing firewall -- one could have it shout "Help me!  I'm under attack
from xxx.yyy.zzz.www!"  during a demonstration to pointy-haired managers]

More sophisticated intrusion detectors have been researched (see
http://www.cs.purdue.edu/coast/intrusion-detection/ids.html) but I didn't
notice any that were freely available and useful for FreeBSD systems.

Guy Helmer, Computer Science Graduate Student - ghelmer@cs.iastate.edu
Iowa State University               http://www.cs.iastate.edu/~ghelmer
Ames, Iowa, USA                                 42 01'12"N, 93 40'23"W