Where are "Log AttacLog" emails coming from...
I have inherited the lovely duty of admin'ing a production server
running Etch. It's all very straightforward except for a phantom
installed package that is spitting out snort-esque emails to root
about perceived ongoing attacks. Unfortunately the only one it ever
seems to complain about is the "TearDrop Attack" which it really isn't
(it's just a strange network topology combined with some OS X users
using Bonjour). I am constantly getting emails with the subject line
Log AttackLog(from: [ip])
Followed by the relevant lines from some mysterious log file that I
can't find. Googling only shows that apparently whatever this package
is is also used on various firewall and router devices/firmwares, as
they also send out similar emails. I've dug through dpkg's installed
package list and even gutted out some log notifications packages, but
for the love of god, I can't seem to hit the right one. Does anyone
know which package this is? Either so I can edit its detection
ruleset or destroy it utterly...
hose
Reply to: