[techtalk] Better snort/logcheck reporting
Nicole Zimmerman
colby at wsu.edu
Sat Apr 21 23:43:19 EST 2001
If you go into /etc/logcheck/ you can specify strings to ignore and
strings to mark as violations (rather than "unusual events").
I would imagine there are logcheck rules out ther on the 'net that you can
grab for known attacks that are not included in the defaults. If you are
using the potato version you might check out the files in the
testing/unstable version to see if they have additional rules that aren't
in the earlier one.
You might also check out 'portsentry': it looks for port scans on specific
ports so you don't have to get all of the other traffic as well. Snort is
good for all around stuff.
As far as purging pptpd that seems strange. You can at least remove it
from your rc startup scripts by running
update-rc.d -f pptpd remove
Try purging it again. Maybe the removal script isn't completely correct?
-nicole
At 00:26 on Apr 22, Kath combined all the right letters to say:
> Does anyone know of a way for better snort/logcheck out putting?
>
> I get stuff from ipop3d about regular (completely normal) pop3 logins by myself. I'd rather not get these all together.
>
> Also I'm getting the following:
>
> Apr 21 22:30:59 hwnet pptpd[2226]: CTRL: Client 24.186.89.xx control connection started
> Apr 21 22:30:59 hwnet pptpd[2226]: CTRL: EOF or bad error reading ctrl packet length.
> Apr 21 22:30:59 hwnet pptpd[2226]: CTRL: couldn't read packet header (exit)
> Apr 21 22:30:59 hwnet pptpd[2226]: CTRL: CTRL read failed
> Apr 21 22:30:59 hwnet pptpd[2226]: CTRL: Client 24.186.89.xx control connection finished
>
> I recently dpkg --purge pptpd and I thought I got this removed, so why am I getting these spit out in the logs?
>
> I'd rather see only specific stuff, like known attacks and portscans.
>
> - Kath
>
More information about the Techtalk
mailing list