From owner-freebsd-security Wed Apr 25 20:30:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from caerulus.cerintha.com (caerulus.cerintha.com [207.18.92.26]) by hub.freebsd.org (Postfix) with ESMTP id 9B56D37B422 for ; Wed, 25 Apr 2001 20:30:14 -0700 (PDT) (envelope-from scheidell@Cerintha.com) Received: (from scheidell@localhost) by caerulus.cerintha.com (8.11.3/8.11.3) id f3Q3UE950845; Wed, 25 Apr 2001 23:30:14 -0400 (EDT) Date: Wed, 25 Apr 2001 23:30:14 -0400 (EDT) From: Michael S Scheidell Message-Id: <200104260330.f3Q3UE950845@caerulus.cerintha.com> To: freebsd-security@freebsd.org Subject: Re: Connection attempts (& active ids) In-Reply-To: <200104260318.XAA16168@khavrinen.lcs.mit.edu> References: <200104260303.f3Q33CK49974@caerulus.cerintha.com> <200104260318.XAA16168@khavrinen.lcs.mit.edu> Reply-To: scheidell@fdma.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In local.freebsd.security, you wrote: >day responding to IDS alerts, port scans, address scans, and such >like, or I could put real effort into ensuring that the what if you could 'set and forget' have an perl script that uploads IDENTIFIED attacks to a central location? That central location would match up that attackers ip to others (like about 100 active ones right now) What if that central location could trigger an email with logs sent to the isp or admin responsible for that ip address? Hey, wouldn't YOU want to know if a system on YOUR network goot rooted? I suspect the first thing it would do was to scan its local class c. What if you could just look at a summary, every now and then. See how you were doing? Of course you wouldn't need to, but you could, either a summary log file or the web page. See if these attacks are directed against YOU only (only one reporting such ip address) or others? What if it didn't cost anything? Don't have portsentry logs parsed, but do have ipfw logs supported. (and ipchains and iptables on 'deadhat') and cisco ios logs as well, perl script, GPL license. Free. launch it with shell script in /usr/local/etc/rc.d Right now, mynetwatchman is getting about a 30% response rate from those attacked. most tell him that their system was rootkitted (redhat 6.2 mostly) most thank him for letting them know, because now at least THAT system isn't being used by God knows who, sitting ready for who knows what. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message