Date: Tue, 29 Feb 2000 13:58:33 -0600 From: Dave McKay <dave@mu.org> To: Lev Serebryakov <lev@imc.macro.ru> Cc: freebsd-security@freebsd.org Subject: Re: ipfw log accounting Message-ID: <20000229135833.A95841@elvis.mu.org> In-Reply-To: <8621.000229@imc.macro.ru> References: <20000228174619.A71978@elvis.mu.org> <8621.000229@imc.macro.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Lev Serebryakov (lev@imc.macro.ru) wrote: > Hi, Dave! >=20 > Tuesday, February 29, 2000, 2:46:19 AM, you wrote: >=20 > >> Are there some tools to analyze output of "deny log ip from any to > >> any" ipfw rule and find dangerous activity, like portscans and other? > >> I want to analyze log every hour, and reset log counters after it. > >> I don't want to receive messages about every single dropped packet. >=20 > DM> A tool such as you are asking would be easily written in perl. > DM> Just have your ipfw log to a file through syslogd or ipfw > How could I filter all ipfw messages to separate file with syslogd? > There is no special facility for it :( An entry like this in your syslog.conf file should do it. !ipfw *.* /var/log/ipfw.log And of course you will have to HUP syslogd and touch the ipfw.log file before it takes effect. Also in the man pages there are the sysctl variables for ipfw, some deal with logging. > DM> itself. Then write a tool to check and analyse the data and > DM> send you mail on it every hour. > It is not a problem to analyze, when you know what is attack and what > is not. I wander, is there some conditions (developed by security > specialists) to distinguish attacks and mistakes... Yes there are some good measures. Fyodor http://www.insecure.org has written some good papers on remote OS guessing and portscanning. There also reading through the ipfw man pages show examples of useful setups. --=20 Dave McKay Network Engineer - Google Inc. dave@mu.org - dave@google.com I'm feeling lucky... --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia iQCVAwUBOLwk6XY8vP7IQ1TlAQGW8AQAtXXSFb2Yknidb+bXp2UjF1HghHclDC8I EHLqmFyI8EThm36PAglHOL13wi91Mz7QIryItI8JdWPw2Xs9MBms+Qjnq6a1ZuPi T8Kewkj9B7KVLiN8I8e4k8nL899LBKiq3dzt/3S1itRzsm0Q0hGVT6xBzlaPFOZS kTiKOQi3Dog= =LW19 -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000229135833.A95841>