OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: traffic logging
From: Damian Gerow (damianITACTICS.COM)
Date: Wed May 03 2000 - 08:28:15 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Humm... I don't much care for PortSentry's retaliation sequence. The
suggested action (blocking the route, adding offending host to
hosts.deny, setting up a firewall rule to deny all traffic coming from
the offending host) really turns me off - it creates a nice, simple DoS
on it's own.

For logging traffic in detail, there's a nice patch to detect port
scans. If you go to http://www.innu.org/~sean/, you can get it there.
That, combined with ippl and generic linux logging do it great.

> > I've been seeing a lot of odd traffic on several of my
> > machines and I was
> > wondering what you folks suggest for logging traffic on a
> > single machine.
> > Several of the machines are Linux boxes, and I'd like the
> > ability to log in
> > depth. Things I'd like to capture would include things like
> > stealth scans
> > and odd packets.
> >
> > Any suggestions?
> >
> Not so much for traffic, but I use logcheck for any anomolies
> in the log
> files, and PortSentry to detect and react to port scans.
> They can both be
> found here:
> http://www.psionic.com/
>
>
> /*---------------------------------------------------------
> Scott McClelland, CNA
> Network Administrator
> Vortex Data Systems
> (619) 497-6400 x229
> -----------------------------------------------------------*/
>

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBORAo7PWPEBDMsfC4EQJ0ygCfVMoJJNVbcsG0rPaethu1d4wH7CoAnjHA
8aFJZCLAqGs9aV2tAhC7t5Wf
=v3Mr
-----END PGP SIGNATURE-----