Re: OT: An Idea for an IDS
On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote:
> On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote:
> > A daemon sits running in the background listening to a special device
> > (/dev) or an IPC which would originate from syslog-ng. This daemon
> > would then parse the log and look for suspicious things. If it found
> > something suspicious it would use regular expression to grab out
> > pertinent parts of the log (say the IP address) and act on the log
> > accordingly (in real time) by say dropping an IPTABLE rule down on the
> > IP address.
> > Are there any projects out there to do this right now. If not, is this
> > a good idea? If it is who would be a person/group that would be
> > qualified and have the time/interest to develop it.
> Not really a good idea. Consider what happens when someone forges the IP
One can predefine trusted or other very important IP addresses which
cannot be blocked.
In fact, such an utility exists and is present in Debian Woody:
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
email@example.com http://www.lodz.tpsa.pl/ | ones and zeros.