OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Hisham (etsh911maxleft.com)
Date: Tue Jan 22 2002 - 09:04:34 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Richard,

    maybe alert.sh isn't working for some problem with your own
    config? I've seen it on the site, yet, I think something in your
    internal config. is the problem.

    Well, due to CP's wide powers, I have decided to port alert.sh to
    CP's own language <INSPECT>.
    That isn't really hard, I've started it already, but I need a way
    to generate the alert.unique file.

    The basic engine for tracking is :
    ----------------------------------
    // the timeout <60> should be changed to whatever time you want.
    alert_sh = dynamic {} refresh expires 60;

    ((sync, <src,dst> in alert_sh, get <src,dst> from alert_sh to sr5,
    if ((sr4=1), (sr5=5)) {record <src,dst,0,ip_p> in
    sam_blocked_srvs, log port_scan} or set sr6 (sr5+1), modify
    <src,dst;sr6> in alert_sh) or (syn, <src,dst> not in alert_sh,
    record <src,dst;1> in alert_sh))
    ------------------------------------

    That was the main engine, I have created a port_scan log format
    <that was created :)> but as I said befor, the hard part would be
    the way for creating the alert.unique file. If anyone has an idea
    about how to create alert.unique in the *expected* format using
    INSPECT would you please drop me a line? :}

    Well, unsing INSPECT would make it ten times easier to debug, and
    it would be more customizable, ie. you could block from specific
    hosts, and allow from others to prevent spoofed scans with a src
    of your DNS servers :)

    Thanks,
    etsh911

     

    ________________________________________________________
    Free Email & Free Website, Only From http://www.maxleft.com : Now
    with free POP3 Email Access

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: honeypots-unsubscribesecurityfocus.com
    For additional commands, e-mail: honeypots-helpsecurityfocus.com
    ---------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert
    (SIA) Service. For more information on SecurityFocus' SIA service
    which automatically alerts you to the latest security vulnerabilities.
    Please, see: https://alerts.securityfocus.com/