Re: Firewall logs and analyzing tools
On Sat, 21 Jun 2003, bob parker wrote:
> On Fri, 20 Jun 2003 02:45, Massimo Villa wrote:
> > Is there anybody who knows a analyzing, monitoring and
> > reporting tools of iptables logs to discover possible attacks
> > and statistics informations?
> logcheck might help, it distills the logs and emails the result to you or
> other designated recipient.
putting on the flame suit...
if iptables stopped the incoming traffic ... good ... it did its job
if iptables topped legitimate traffic, the sender will probably tell
you to stop bouncing them or allow them as an exception ..
if you want to discover (endlesss) possible attacks...
- find other iptables rules you need to add to your list and why
- spend your time hardening you servers and lan ...
(a semi-finite list of things to do vs infinite possible attacks)
- find "all" the known exploits for a particular vulnerability
and patch it and defend your servers against that exploit
if you are running some ids... it's too late... they are already in your
- better now spend time to prevent them getting in next time
- don't bother with figuring out all those doing port scans
of your servers ..
- do apply all the patches to all apps running on those ports
if you like looking at pretty statistics ..
grep ssh /var/log/messages | grep -iv "your-own-servers-n-ip#"
grep icmp /var/log/messages
grep ftp /var/log/messages
grep telnet /var/log/messages
egrep -iv "ssh|icmp|ftp|telnet" /var/log/messages
grep error /var/log/http/error_log
plot all that out in whatever presentation you want
( check into firesoft ?? )
lots o fun stuff