Re: OT: An Idea for an IDS
On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote:
> On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote:
>
> > A daemon sits running in the background listening to a special device
> > (/dev) or an IPC which would originate from syslog-ng. This daemon
> > would then parse the log and look for suspicious things. If it found
> > something suspicious it would use regular expression to grab out
> > pertinent parts of the log (say the IP address) and act on the log
> > accordingly (in real time) by say dropping an IPTABLE rule down on the
> > IP address.
> >
> > Are there any projects out there to do this right now. If not, is this
> > a good idea? If it is who would be a person/group that would be
> > qualified and have the time/interest to develop it.
>
> Not really a good idea. Consider what happens when someone forges the IP
> addresses.
>
One can predefine trusted or other very important IP addresses which
cannot be blocked.
In fact, such an utility exists and is present in Debian Woody:
fwlogwatch.
HTH
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek@lodz.tpsa.pl http://www.lodz.tpsa.pl/ | ones and zeros.
Reply to: