Re: Detecting break-ins

To: Yotam Rubin <yotam@makif.omer.k12.il>
Cc: debian-security@lists.debian.org
Subject: Re: Detecting break-ins
From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
Date: Wed, 16 Jan 2002 07:14:38 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1020116070844.2787A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] 20020116145833.GA4010@insomnia17>

hi ya

On Wed, 16 Jan 2002, Yotam Rubin wrote:

> On Tue, Jan 15, 2002 at 09:04:07PM +0100, Balazs Javor wrote:
> > Hi,
> > 
> > Recently I've installed some IP logging deamons
> > (snort, ippl along with logcheck) and I was amazed

you'd need (host/network) IDS's in addition to the above log checkers

> Strangely, ippl is an extremely popular tool. Using ippl is inadvisable, it
> provides a false sense of information. ippl is unversatile, the filter 
> language is too simple to allow complex operations. 
>  * ippl is limited only to UDP and TCP. 
>  * ippl logs only TCP syn packets, many port scanners apply scanning methods 
>     which include the transmission of non-syn packets. If these methods are 
>     used, ippl will not detect them.
>  * Finally, ippl provides little information about connection attempts.
> Perhaps you should consider using alternative tools, such as argus.


output of ippl....
	- i'd say i have enough info to go chase down unathorized
	attempts on different ports

	- i can run a cronjob every 5 min to selectively 
	go and check or ignore it

	- you can put this log file outside of /var/log/*
	( say we put the ippl log file at /x/y/z/abc/x.log )
		- which is why i like it
		- and is 1 minute to install/setup..

	- i prefer to get raw data... and i'll post process it
	with my filters/config options and paranoia level
		and cross check against other IDS reports

Jan 16 06:57:29 auth connection attempt from 216.103.69.42
Jan 16 06:58:41 http connection attempt from 131.155.85.29
Jan 16 06:58:47 smtp connection attempt from 216.234.231.6
Jan 16 06:59:26 http connection attempt from 64.152.75.101
Jan 16 07:00:09 http connection attempt from 216.35.116.100
Jan 16 07:00:28 http connection attempt from 64.152.75.101
Jan 16 07:00:56 last message repeated 4 time(s)
Jan 16 07:01:00 sunrpc connection attempt from 166.90.84.59
Jan 16 07:01:17 http connection attempt from 64.152.75.101
Jan 16 07:01:36 http connection attempt from 167.202.196.71
Jan 16 07:01:44 http connection attempt from 64.152.75.101

have fun
alvin
http://www.Linux-Sec.net/IDS ... ids stuff

Reply to:

Follow-Ups:
- Re: Detecting break-ins
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

References:
- Re: Detecting break-ins
  - From: Yotam Rubin <yotam@makif.omer.k12.il>

Prev by Date: Re: Detecting break-ins
Next by Date: Re: Help with Firewall section in the Debian Security Manual
Previous by thread: Re: Detecting break-ins
Next by thread: Re: Detecting break-ins
Index(es):
- Date
- Thread