From owner-freebsd-security Fri Jun 27 11:33:45 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA06322 for security-outgoing; Fri, 27 Jun 1997 11:33:45 -0700 (PDT) Received: from mailbox.nosc.mil (mailbox.nosc.mil [198.253.27.40]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA06315 for ; Fri, 27 Jun 1997 11:33:43 -0700 (PDT) Received: from localhost (swann@localhost) by mailbox.nosc.mil (8.8.3/8.8.3) with SMTP id NAA03759; Fri, 27 Jun 1997 13:31:33 -0400 (EDT) X-Authentication-Warning: mailbox.nosc.mil: swann owned process doing -bs Date: Fri, 27 Jun 1997 13:31:32 -0400 (EDT) From: Bryan Swann X-Sender: swann@mailbox To: chas cc: security@FreeBSD.ORG Subject: Re: how can we monitor in real time ? (was Re: probing from jrc-5-104.tm.net.my) In-Reply-To: <3.0.32.19970627224059.009cece0@mail.tm.net.my> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk There is a tool I tried at one time called swatch. It would monitor a log file and perform an action based on information contained in the log. It is not that pretty, but you could configure it to send email or call other programs that could potentially page you. __________________________________________________________________________ | Bryan Swann (swann@nosc.mil) 803/974-4267 803/974-5080 (Fax) | | Eagan McAllister Associates, Inc. | | | | "Everything must be working perfectly, cause I don't smell any smoke" | -------------------------------------------------------------------------- On Fri, 27 Jun 1997, chas wrote: > I sent along a bit of info on this one earlier but it > did prompt me to wonder : > > "how can we check for this info (and DoS attackes or > similar) in real time rather than afterwards in log files ? > is there any software that can be configured to monitor > your server and shout when it is possibly coming under > attack ?" > > Thank you very much, > > chas > > > > >>Anyone know anything about this host ? > >> > >>Name: jrc-5-104.tm.net.my > >>Address: 202.188.5.104 > >> > >>I noticed it probing ports in ipfw's logs. > >> > >>abbreviations: X = 202.188.5.104 Y = myhost Z = myhost > >> > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1422 Y:2 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1423 Y:3 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1424 Y:4 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1425 Y:5 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1426 Y:6 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1428 Y:8 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1429 Y:9 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1430 Y:10 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1431 Y:11 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1432 Y:12 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1433 Y:13 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1434 Y:14 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1435 Y:15 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1436 Y:16 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1437 Y:17 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1438 Y:18 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1440 Y:20 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1441 Y:21 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1443 Y:23 via de0 > >>Jun 25 04:07:12 Z /kernel: ipfw: 2600 Deny TCP X:1444 Y:24 via de0 > >>Jun 25 04:07:13 Z /kernel: ipfw: 2600 Deny TCP X:1445 Y:25 via de0 > >>Jun 25 04:07:13 Z /kernel: ipfw: 2600 Deny TCP X:1446 Y:26 via de0 > >>Jun 25 04:07:13 Z /kernel: ipfw: 2600 Deny TCP X:1447 Y:27 via de0 > >>Jun 25 04:07:13 Z /kernel: ipfw: 2600 Deny TCP X:1448 Y:28 via de0 > >>Jun 25 04:07:13 Z /kernel: ipfw: 2600 Deny TCP X:1449 Y:29 via de0 > >>Jun 25 04:07:13 Z /kernel: ipfw: 2600 Deny TCP X:1450 Y:30 via de0 > >>Jun 25 04:07:13 Z /kernel: ipfw: 2600 Deny TCP X:1451 Y:31 via de0 > >>Jun 25 04:07:13 Z /kernel: ipfw: 2600 Deny TCP X:1452 Y:32 via de0 > >>Jun 25 04:07:13 Z /kernel: ipfw: 2600 Deny TCP X:1453 Y:33 via de0 > >>Jun 25 04:07:13 Z /kernel: ipfw: 2600 Deny TCP X:1454 Y:34 via de0 > >>Jun 25 04:07:13 Z /kernel: ipfw: 2600 Deny TCP X:1455 Y:35 via de0 > >>Jun 25 04:07:13 Z /kernel: ipfw: 2600 Deny TCP X:1456 Y:36 via de0 > >>Jun 25 04:07:13 Z /kernel: ipfw: 2600 Deny TCP X:1457 Y:37 via de0 > >>Jun 25 04:07:13 Z /kernel: ipfw: 2600 Deny TCP X:1458 Y:38 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1459 Y:39 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1460 Y:40 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1461 Y:41 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1462 Y:42 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1463 Y:43 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1464 Y:44 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1465 Y:45 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1466 Y:46 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1467 Y:47 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1468 Y:48 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1469 Y:49 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1470 Y:50 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1471 Y:51 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1472 Y:52 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1473 Y:53 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1474 Y:54 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1475 Y:55 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1476 Y:56 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1477 Y:57 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1478 Y:58 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1479 Y:59 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1480 Y:60 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1481 Y:61 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1482 Y:62 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1483 Y:63 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1484 Y:64 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1485 Y:65 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1486 Y:66 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1487 Y:67 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1488 Y:68 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1489 Y:69 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1490 Y:70 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1491 Y:71 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1492 Y:72 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1493 Y:73 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1494 Y:74 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1495 Y:75 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1496 Y:76 via de0 > >>Jun 25 04:07:14 Z /kernel: ipfw: 2600 Deny TCP X:1497 Y:77 via de0 > >>Jun 25 04:07:15 Z /kernel: ipfw: 2600 Deny TCP X:1430 Y:10 via de0 > >>Jun 25 04:07:15 Z /kernel: ipfw: 2600 Deny TCP X:1432 Y:12 via de0 > >>Jun 25 04:07:15 Z /kernel: ipfw: 2600 Deny TCP X:1433 Y:13 via de0 > >>Jun 25 04:07:15 Z /kernel: ipfw: 2600 Deny TCP X:1431 Y:11 via de0 > >>Jun 25 04:07:15 Z /kernel: ipfw: 2600 Deny TCP X:1434 Y:14 via de0 > >>Jun 25 04:07:15 Z /kernel: ipfw: 2600 Deny TCP X:1441 Y:21 via de0 > >>Jun 25 04:07:15 Z /kernel: ipfw: 2600 Deny TCP X:1435 Y:15 via de0 > >>Jun 25 04:07:15 Z /kernel: ipfw: 2600 Deny TCP X:1436 Y:16 via de0 > >>Jun 25 04:07:15 Z /kernel: ipfw: 2600 Deny TCP X:1443 Y:23 via de0 > >>Jun 25 04:07:15 Z /kernel: ipfw: 2600 Deny TCP X:1444 Y:24 via de0 > >>Jun 25 04:07:15 Z /kernel: ipfw: 2600 Deny TCP X:1445 Y:25 via de0 > >>Jun 25 04:07:15 Z /kernel: ipfw: 2600 Deny TCP X:1438 Y:18 via de0 > >>Jun 25 04:07:15 Z /kernel: ipfw: 2600 Deny TCP X:1446 Y:26 via de0 > >>Jun 25 04:07:15 Z /kernel: ipfw: 2600 Deny TCP X:1447 Y:27 via de0 > >>Jun 25 04:07:15 Z /kernel: ipfw: 2600 Deny TCP X:1448 Y:28 via de0 > >>Jun 25 04:07:15 Z /kernel: ipfw: limit reached on rule #2600 > >> > >> > >> > >>-- > >>Rob Hartill Internet Movie Database (Ltd) > >>http://www.moviedatabase.com/ .. a site for sore eyes. > >> > >> >