Date: Wed, 25 Apr 2001 23:30:14 -0400 (EDT) From: Michael S Scheidell <scheidell@Cerintha.com> To: freebsd-security@freebsd.org Subject: Re: Connection attempts (& active ids) Message-ID: <200104260330.f3Q3UE950845@caerulus.cerintha.com> In-Reply-To: <200104260318.XAA16168@khavrinen.lcs.mit.edu> References: <Pine.BSF.4.31.0104252147260.8017-100000@achilles.silby.com> <200104260303.f3Q33CK49974@caerulus.cerintha.com> <200104260318.XAA16168@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
In local.freebsd.security, you wrote: >day responding to IDS alerts, port scans, address scans, and such >like, or I could put real effort into ensuring that the what if you could 'set and forget' have an perl script that uploads IDENTIFIED attacks to a central location? That central location would match up that attackers ip to others (like about 100 active ones right now) What if that central location could trigger an email with logs sent to the isp or admin responsible for that ip address? Hey, wouldn't YOU want to know if a system on YOUR network goot rooted? I suspect the first thing it would do was to scan its local class c. What if you could just look at a summary, every now and then. See how you were doing? Of course you wouldn't need to, but you could, either a summary log file or the web page. See if these attacks are directed against YOU only (only one reporting such ip address) or others? What if it didn't cost anything? Don't have portsentry logs parsed, but do have ipfw logs supported. (and ipchains and iptables on 'deadhat') and cisco ios logs as well, perl script, GPL license. Free. launch it with shell script in /usr/local/etc/rc.d Right now, mynetwatchman is getting about a 30% response rate from those attacked. most tell him that their system was rootkitted (redhat 6.2 mostly) most thank him for letting them know, because now at least THAT system isn't being used by God knows who, sitting ready for who knows what. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104260330.f3Q3UE950845>