Re: OT: An Idea for an IDS

To: debian-security@lists.debian.org
Subject: Re: OT: An Idea for an IDS
From: Tomasz Papszun <tomek@lodz.tpsa.pl>
Date: Tue, 1 Jul 2003 17:57:27 +0200
Message-id: <[🔎] 20030701155727.GB20456@lodz.tpsa.pl>
In-reply-to: <[🔎] 20030701023915.GE1090@alcor.net>
References: <20030630223833.GA25418@zionlth.org> <[🔎] 20030701023915.GE1090@alcor.net>

On Mon, 30 Jun 2003 at 22:39:15 -0400, Matt Zimmerman wrote:
> On Mon, Jun 30, 2003 at 06:38:33PM -0400, Phillip Hofmeister wrote:
> 
> > A daemon sits running in the background listening to a special device
> > (/dev) or an IPC which would originate from syslog-ng.  This daemon
> > would then parse the log and look for suspicious things.  If it found
> > something suspicious it would use regular expression to grab out
> > pertinent parts of the log (say the IP address) and act on the log
> > accordingly (in real time) by say dropping an IPTABLE rule down on the
> > IP address.
> > 
> > Are there any projects out there to do this right now.  If not, is this
> > a good idea?  If it is who would be a person/group that would be
> > qualified and have the time/interest to develop it.
> 
> Not really a good idea.  Consider what happens when someone forges the IP
> addresses.
> 

One can predefine trusted or other very important IP addresses which
cannot be blocked.
In fact, such an utility exists and is present in Debian Woody:
fwlogwatch.

HTH
-- 
 Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
 tomek@lodz.tpsa.pl   http://www.lodz.tpsa.pl/   | ones and zeros.

Reply to:

Follow-Ups:
- Re: OT: An Idea for an IDS
  - From: Matt Zimmerman <mdz@debian.org>

References:
- Re: OT: An Idea for an IDS
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: crypto filesystem
Next by Date: Re: OT: An Idea for an IDS
Previous by thread: Re: OT: An Idea for an IDS
Next by thread: Re: OT: An Idea for an IDS
Index(es):
- Date
- Thread