[Q] Intrusion Detection, Log file parsing....

Doug Palmer doug at charvolant.org
Mon Jan 21 21:55:12 EST 2002

"Donovan J. Edye" wrote:

> -          Detect intrusion attempts

Adding an iptables rule which "jumps" to LOG wherever you block naughty
packets will result in information on the bad packet being sent to the
syslog. See

> -          Have ?something? look at syslog and other logs to see if there
> are any ?funnies? in the logs (not necessarily to do with security, but say
> a disk getting full etc.)

The logcheck utility http://www.psionic.com/abacus/logcheck is pretty
useful here. It incrementally scans the /var/log (or whereever) files
and reports on suspicious looking stuff. It has a file of patterns to
scan for (and patterns to ignore) that can easily be tuned by hand. The
results get mailed to you.

Doug Palmer   doug at charvolant.org   http://www.charvolant.org/~doug

More information about the linux mailing list