> The reason I wanted Scanlogd was coz I have iptables rules like; > > $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG > --log-level debug --log-prefix "Port Scan" > $IPTABLES -t nat -A PREROUTING -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP > > that I would like to get rid of. What I had though of was using scanlogd and > writing a small script to monitor the scanlogd logfile and send me a message > when the size of the logfile changes. > > Libnids-1.23 builds without any issues. It is just that when I rebuilt > scanlogd (with Libnids support instead of pcap) scanlogd complains about > sharing text segments, that's when I thought of checking libnids for > TEXTREL. > > Anyway, the solution (snort_inline) you proposed makes better sense and > that's what am pursuing right now. Will let u know if I have any issues > building snort_inline.
Real time port scan detection is not very valuable and will trigger constantly. A serious attacker will scan you v e r y s l o w l y and use a lot of dEcOyS. You would need to analyze a months worth of captures to detect him. To correlate that data you could use ACID and BASE with a snort IDS. (on a dedicated IDS appliance). I don't think you want all that work. You efforts are better used to monitor your OPEN ports for attack data, which includes malformed packets, attempted buffer overflows, and brute force logins. This is where you want real time response like snort inline provides. Note. There is the main snort project, which is at version 2.8 or so and then there is also the "snort_inline project" which uses version 2.6. They are not the same thing; a big source of confusion. I prefer mainstream snort. make distclean ./configure --prefix=/usr --libdir=/usr/lib --enable-inline --sysconfdir=/etc/snort --sbindir=/sbin --with-pic --enable-react --enable-stream4udp --enable-decoder-preprocessor-rules make make install # optionally build the so rules if desired. cd so_rules # In CFLAGS we fix a fatal problem caused from the stack protector. sed '[EMAIL PROTECTED]@-fPIC [EMAIL PROTECTED]' -i.orig Makefile make clean make make install /* You can eliminate a lot of bot scanning with this: iptables -I INPUT -p tcp --sport 6000 -m state --state NEW -j DROP iptables -I INPUT -p tcp --sport 12200 -m state --state NEW -j DROP If you need remote access, look at nufw. If you run apache, look at mod_security. If you use PHP, look at suhosin module. If you use proftpd, look at mod_ban. If you have a mail server, look at assp. */ Marty B. -- Building a better mousetrap only results in better mice. C. Darwin
signature.asc
Description: OpenPGP digital signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
