[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: counteracting an attack?



On Sun, Feb 18, 2001 at 09:27:26AM +0100, Pierfrancesco Caci wrote:
> 
> :-> "Erich" == Erich Schubert <erich.schubert@mucl.de> writes:
> 
>     >> The goal is reached, bad guys stay out, but I'd prefer to somehow
>     >> make portsentry check the data as well. I prefer to know if
>     >> someone scanned my network. Most of the information can be read
>     >> from the firewall logs, but it would require a big bunch of
>     >> scripts (pretty much rewriting portsentry) to see the big picture
>     >> with many scans.
> 
>     > For that i use logcheck and do log as few as possible.
> 
> That's what I do, too, but I'd like to be able to set up something
> more "real time", in the sense that I won't get to read nightly logs
> until the morning after, and by that time the scripy kiddies already
> are gone.

Set up snort with MySQL logging, run a script every 5 minutes to check
for your favorite scans in the database.

Tim

-- 
Tim Sailer <sailer@bnl.gov> Cyber Security Operations
Brookhaven National Laboratory  (631) 344-3001



Reply to: