[Q] Intrusion Detection, Log file parsing....
Doug Palmer
doug at charvolant.org
Mon Jan 21 21:55:12 EST 2002
"Donovan J. Edye" wrote:
> - Detect intrusion attempts
Adding an iptables rule which "jumps" to LOG wherever you block naughty
packets will result in information on the bad packet being sent to the
syslog. See
http://www.linuxvoodoo.com/howto/iptables/iptables-tutorial.html
> - Have ?something? look at syslog and other logs to see if there
> are any ?funnies? in the logs (not necessarily to do with security, but say
> a disk getting full etc.)
The logcheck utility http://www.psionic.com/abacus/logcheck is pretty
useful here. It incrementally scans the /var/log (or whereever) files
and reports on suspicious looking stuff. It has a file of patterns to
scan for (and patterns to ignore) that can easily be tuned by hand. The
results get mailed to you.
--
Doug Palmer doug at charvolant.org http://www.charvolant.org/~doug
More information about the linux
mailing list