firewall log viewing, sorting or alerting - snort & acid ?
Daniel
cottmain at plug.linux.org.au
Sun Dec 8 01:24:14 EST 2002
Hello All,
I'm running a Woody iptables firewall with no x-windows and I'm so new
to reading logs I'm not sure I'd notice a successful intrusion attempt
if I fell over one.
For a 'paranoid' approach what about something like:
- setup syslog-ng(tcp) or metalog(can use bzip2) to log on another
machine, compress & maybe e-mail the logs, and logrotate[sounds easy]
- use a log analysis tool to simplify reading them and perhaps automate
or escalate alert response ... this is the hard bit as it's difficult to
choose the right tool. There's another machine available to send
duplicate logs to if needed, and maybe even better to check the logs out
from there.
What about snort and acid as tools? Am I heading in the right direction?
Are they the easiest way to keep an eye on logs for beginners?
http://www.snort.org/
http://acidlab.sourceforge.net/
http://sourceforge.net/projects/snortalertmon
http://snortcon.sourceforge.net/
http://packages.debian.org/unstable/net/fwlogwatch.html
http://packages.debian.org/unstable/admin/metalog.html
http://packages.debian.org/unstable/admin/syslog-ng.html
http://www.jedi.claranet.fr/ (iplimit, iptrap)
http://www.kyb.uni-stuttgart.de/boris/software.shtml
Thanks for your good replies on
"Examples of 'dpkg --get-selection > packagesinstalled.txt' for
firewall" ...
Thanks,
Daniel.
More information about the linux
mailing list