From owner-freebsd-questions Thu Nov 9 12:30:24 2000 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-27-149-77.mmcable.com [24.27.149.77]) by hub.freebsd.org (Postfix) with SMTP id 35E0037B479 for ; Thu, 9 Nov 2000 12:30:22 -0800 (PST) Received: (qmail 24150 invoked by uid 100); 9 Nov 2000 20:30:21 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14859.2397.192248.844800@guru.mired.org> Date: Thu, 9 Nov 2000 14:30:21 -0600 (CST) To: Phil C Cc: questions@freebsd.org Subject: Re: ipfw/database/logging development In-Reply-To: <50311409@toto.iv> X-Mailer: VM 6.75 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Phil C types: > I wanted to initially write a perl script to monitor /var/log/security for > user defined ongoing's of ipfw. I was then going to use this data in a > database, which would expire entries after a defined amount of time. The > database (using MLDBM), could keep track of each ip which, for example was > blocked, the port(s) they tried to connect from/to and when... Monitoring scans, > both immediate and those gradually building over time would be simplified > greatly... (on a cable network I find myself under a regular barrage of > various intrusion attempts etc ranging from doze based attempts, like sub7 > scans to scans of ftp ssh portmap etc... ...) > > What I am looking for here... is someone to either tell me I am reinventing > the wheel... a place for good ipfw docs (I am already sub'ed to freebsd-ipfw, > just in case)... or perhaps a better design method... if you feel there is one. I'm not exactly sure what you're trying to do, but you didn't name any of the tools I've heard of that do real-time port watching. I'm not a security guru, but a trip through /usr/ports/security might be worth your while.