From owner-freebsd-security  Tue Jun  5  8:22:18 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mail.fdma.com (mail.fdma.com [216.241.67.73])
	by hub.freebsd.org (Postfix) with ESMTP id 37F9937B401
	for <freebsd-security@freebsd.org>; Tue,  5 Jun 2001 08:22:14 -0700 (PDT)
	(envelope-from scheidell@fdma.com)
Received: from MIKELT (mikelt.fdma.lan [10.1.1.40])
	by mail.fdma.com (8.11.3/8.11.3) with SMTP id f55FM3P05600
	for <freebsd-security@freebsd.org>; Tue, 5 Jun 2001 11:22:03 -0400 (EDT)
Message-ID: <007b01c0edd3$45ebaf50$2801010a@fdma.com>
From: "Michael Scheidell" <scheidell@fdma.com>
To: <freebsd-security@freebsd.org>
References: <F54B610C5BFDE546BBA2F6CC595ACC75084958@Exchange2000.com-con.ag>
Subject: Re: security log file parser / ids
Date: Tue, 5 Jun 2001 11:22:02 -0400
Organization: Florida Datamation, Inc.
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


""Heimes, Rene"" <rh@com-con.net> wrote in message
news:F54B610C5BFDE546BBA2F6CC595ACC75084958@Exchange2000.com-con.ag...
> hiho!
>
> i am searching for a parser that parses security logs from ipfw-made up
> logs. anyone got a hint?
> (btw: what about ipfw firewalls - outdated? what would be better?
> ipchains? help!)

Depends on what you want to do with it.

I do a 'tail -3 /var/log/ipfw.log' every morning,just to see anything
interesting

I also use the perl agent for Mynetwatchman.  It watches ipfw, cisco ios,
and specific stuff I pass it from tcpwrapper and sends it to
www.mynetwatchman.com (they autolart the isp on certain events, like
lion/cheeze worm scans, rpc scans, or if they detect the same scaning ip
from several different locations)

I then go to their site, select 'attacks reported today' and see if they are
just hitting my site, or its a generic script scanner.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message