Re: counteracting an attack?
On Sun, Feb 18, 2001 at 09:27:26AM +0100, Pierfrancesco Caci wrote:
>
> :-> "Erich" == Erich Schubert <erich.schubert@mucl.de> writes:
>
> >> The goal is reached, bad guys stay out, but I'd prefer to somehow
> >> make portsentry check the data as well. I prefer to know if
> >> someone scanned my network. Most of the information can be read
> >> from the firewall logs, but it would require a big bunch of
> >> scripts (pretty much rewriting portsentry) to see the big picture
> >> with many scans.
>
> > For that i use logcheck and do log as few as possible.
>
> That's what I do, too, but I'd like to be able to set up something
> more "real time", in the sense that I won't get to read nightly logs
> until the morning after, and by that time the scripy kiddies already
> are gone.
Set up snort with MySQL logging, run a script every 5 minutes to check
for your favorite scans in the database.
Tim
--
Tim Sailer <sailer@bnl.gov> Cyber Security Operations
Brookhaven National Laboratory (631) 344-3001
Reply to: