Re: Detecting break-ins
hi ya
On Wed, 16 Jan 2002, Yotam Rubin wrote:
> On Tue, Jan 15, 2002 at 09:04:07PM +0100, Balazs Javor wrote:
> > Hi,
> >
> > Recently I've installed some IP logging deamons
> > (snort, ippl along with logcheck) and I was amazed
you'd need (host/network) IDS's in addition to the above log checkers
> Strangely, ippl is an extremely popular tool. Using ippl is inadvisable, it
> provides a false sense of information. ippl is unversatile, the filter
> language is too simple to allow complex operations.
> * ippl is limited only to UDP and TCP.
> * ippl logs only TCP syn packets, many port scanners apply scanning methods
> which include the transmission of non-syn packets. If these methods are
> used, ippl will not detect them.
> * Finally, ippl provides little information about connection attempts.
> Perhaps you should consider using alternative tools, such as argus.
output of ippl....
- i'd say i have enough info to go chase down unathorized
attempts on different ports
- i can run a cronjob every 5 min to selectively
go and check or ignore it
- you can put this log file outside of /var/log/*
( say we put the ippl log file at /x/y/z/abc/x.log )
- which is why i like it
- and is 1 minute to install/setup..
- i prefer to get raw data... and i'll post process it
with my filters/config options and paranoia level
and cross check against other IDS reports
Jan 16 06:57:29 auth connection attempt from 216.103.69.42
Jan 16 06:58:41 http connection attempt from 131.155.85.29
Jan 16 06:58:47 smtp connection attempt from 216.234.231.6
Jan 16 06:59:26 http connection attempt from 64.152.75.101
Jan 16 07:00:09 http connection attempt from 216.35.116.100
Jan 16 07:00:28 http connection attempt from 64.152.75.101
Jan 16 07:00:56 last message repeated 4 time(s)
Jan 16 07:01:00 sunrpc connection attempt from 166.90.84.59
Jan 16 07:01:17 http connection attempt from 64.152.75.101
Jan 16 07:01:36 http connection attempt from 167.202.196.71
Jan 16 07:01:44 http connection attempt from 64.152.75.101
have fun
alvin
http://www.Linux-Sec.net/IDS ... ids stuff
Reply to: