firewall log viewing, sorting or alerting - snort & acid ?

Donovan J. Edye d.edye at bigfoot.com
Sun Dec 8 08:55:54 EST 2002


D,

> to reading logs I'm not sure I'd  notice a successful intrusion attempt if
I fell over one.
Sounds like me to a T. *grin* I ended up using
http://sourceforge.net/projects/fwlogwatch/ It scans my IP Tables logs and
then e-mails me any suspicious activity. I am a bit of a paranoid android,
but I turned off the real time modification of my firewall although it can
do that for you as well.

-- D

 -----Original Message-----
From: 	linux-admin at lists.samba.org [mailto:linux-admin at lists.samba.org]  On
Behalf Of Daniel
Sent:	Sunday, 8 December 2002 01:24
To:	linux at lists.samba.org
Subject:	firewall log viewing, sorting or alerting - snort & acid ?

Hello All,
I'm running a Woody iptables firewall with no x-windows and I'm so new
to reading logs I'm not sure I'd  notice a successful intrusion attempt
if I fell over one.

For a 'paranoid' approach what about something like:
- setup syslog-ng(tcp) or metalog(can use bzip2) to log on another
machine, compress & maybe e-mail the logs, and logrotate[sounds easy]
- use a log analysis tool to simplify reading them and perhaps automate
or escalate alert response ... this is the hard bit as it's difficult to
choose the right tool. There's another machine available to send
duplicate logs to if needed, and maybe even better to check the logs out
from there.

What about snort and acid as tools? Am I heading in the right direction?
Are they the easiest way to keep an eye on logs for beginners?

http://www.snort.org/
http://acidlab.sourceforge.net/
http://sourceforge.net/projects/snortalertmon
http://snortcon.sourceforge.net/
http://packages.debian.org/unstable/net/fwlogwatch.html
http://packages.debian.org/unstable/admin/metalog.html
http://packages.debian.org/unstable/admin/syslog-ng.html
http://www.jedi.claranet.fr/  (iplimit, iptrap)
http://www.kyb.uni-stuttgart.de/boris/software.shtml

Thanks for your good replies on
"Examples of 'dpkg --get-selection > packagesinstalled.txt' for
firewall" ...

Thanks,
Daniel.








More information about the linux mailing list