Date: Fri, 27 Jun 1997 11:16:48 -0500 (CDT) From: Guy Helmer <ghelmer@cs.iastate.edu> To: chas <sweeting@tm.net.my> Cc: security@FreeBSD.ORG Subject: Re: how can we monitor in real time ? (was Re: probing from jrc-5-104.tm.net.my) Message-ID: <Pine.HPP.3.96.970627104900.28536A-100000@domino.cs.iastate.edu> In-Reply-To: <3.0.32.19970627224059.009cece0@mail.tm.net.my>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 27 Jun 1997, chas wrote: > I sent along a bit of info on this one earlier but it > did prompt me to wonder : > > "how can we check for this info (and DoS attackes or > similar) in real time rather than afterwards in log files ? > is there any software that can be configured to monitor > your server and shout when it is possibly coming under > attack ?" A simple method would be to log ipfw and tcp-wrappers (after having wrapped all TCP services in /etc/inetd.conf) messages, then use swatch (monitors logs using a given ruleset in real time; available as a port) to mail/page/shout/whatever when something unusual starts happening. [FreeBSD on a system with a soundcard and the rsynth port could make an amusing firewall -- one could have it shout "Help me! I'm under attack from xxx.yyy.zzz.www!" during a demonstration to pointy-haired managers] More sophisticated intrusion detectors have been researched (see http://www.cs.purdue.edu/coast/intrusion-detection/ids.html) but I didn't notice any that were freely available and useful for FreeBSD systems. Guy Helmer, Computer Science Graduate Student - ghelmer@cs.iastate.edu Iowa State University http://www.cs.iastate.edu/~ghelmer Ames, Iowa, USA 42 01'12"N, 93 40'23"W
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.HPP.3.96.970627104900.28536A-100000>