[Courses] [Security] what logs?
Raven, corporate courtesan
raven at oneeyedcrow.net
Fri Mar 29 22:13:58 EST 2002
Heya --
Quoth Hamster (Tue, Mar 26, 2002 at 05:05:54PM +0100):
> posts on our security course, I have seen numerous examples of people
> saying something like "I can see in our logs that we are getting
> scanned x times a day". I feel a bit silly asking this, but what logs
> are they referring to?
The logs for whatever they're using to detect portscanning.
Usually these are logs from the firewall of denied packets, or logs from
an intrusion detection system (another thing I want to talk about
eventually, but let's get through firewalls first) like Snort or Psad.
> Are these logs created by some separate programmes written
> specifically for monitoring portscans? (if so, what are some of these
> programmes called?) OR Are these logs created by iptables itself?
Reference the above. You can find out more information on Snort
at http://www.snort.org/ , Psad at http://www.cipherdyne.com/psad/ , or
Network Flight Recorder at http://www.nfr.net/.
The logs from ipchains or iptables usually go to
/var/log/messages, but the default behaviour is not to log. If you want
packets denied by a particular rule to log, you have to use the -l
option when creating that rule to tell them to log. When you're seeing
a portscan, you'll usually see a series of denied packets. "TCP to port
1 rejected! TCP to port 2 rejected!...", essentally. (The logs don't
look like that -- we'll show examples after we've built an ipchains
firewall.)
The logs from an IDS go to wherever you configure them for that
particular package. This varies greatly from IDS to IDS.
Cheers,
Raven
"That should be: "If cryptography is outlawed, only bhgynjf jvyy unir
pelcgb!" Or maybe, for maximum effect, "...only pvumbxt xjmm ibwf
dszqup!""
-- Kai, on 'better' cryptography
MD5 (outlaws) = 4c86ccf216da19edcc4b80e3824b67ab
-- my response
More information about the Courses
mailing list