[techtalk] Better snort/logcheck reporting

Kath ranger at optonline.net
Sun Apr 22 12:34:30 EST 2001 

I added *ipop3d*.* and *pumpd*.* to logcheck.ignore and everything is
working out great.

- Kath

----- Original Message -----
From: "Nicole Zimmerman" <colby at wsu.edu>
To: "Kath" <ranger at optonline.net>
Cc: <techtalk at linuxchix.org>
Sent: Sunday, April 22, 2001 2:43 AM
Subject: Re: [techtalk] Better snort/logcheck reporting


> If you go into /etc/logcheck/ you can specify strings to ignore and
> strings to mark as violations (rather than "unusual events").
>
> I would imagine there are logcheck rules out ther on the 'net that you can
> grab for known attacks that are not included in the defaults. If you are
> using the potato version you might check out the files in the
> testing/unstable version to see if they have additional rules that aren't
> in the earlier one.
>
> You might also check out 'portsentry': it looks for port scans on specific
> ports so you don't have to get all of the other traffic as well. Snort is
> good for all around stuff.
>
> As far as purging pptpd that seems strange. You can at least remove it
> from your rc startup scripts by running
> update-rc.d -f pptpd remove
>
> Try purging it again. Maybe the removal script isn't completely correct?
>
> -nicole
>
> At 00:26 on Apr 22, Kath combined all the right letters to say:
>
> > Does anyone know of a way for better snort/logcheck out putting?
> >
> > I get stuff from ipop3d about regular (completely normal) pop3 logins by
myself.  I'd rather not get these all together.
> >
> > Also I'm getting the following:
> >
> > Apr 21 22:30:59 hwnet pptpd[2226]: CTRL: Client 24.186.89.xx control
connection started
> > Apr 21 22:30:59 hwnet pptpd[2226]: CTRL: EOF or bad error reading ctrl
packet length.
> > Apr 21 22:30:59 hwnet pptpd[2226]: CTRL: couldn't read packet header
(exit)
> > Apr 21 22:30:59 hwnet pptpd[2226]: CTRL: CTRL read failed
> > Apr 21 22:30:59 hwnet pptpd[2226]: CTRL: Client 24.186.89.xx control
connection finished
> >
> > I recently dpkg --purge pptpd and I thought I got this removed, so why
am I getting these spit out in the logs?
> >
> > I'd rather see only specific stuff, like known attacks and portscans.
> >
> > - Kath
> >
>
>
> _______________________________________________
> techtalk mailing list
> techtalk at linuxchix.org
> http://www.linux.org.uk/mailman/listinfo/techtalk
>

More information about the Techtalk mailing list