Logging is kind of all or nothing with the standard ipchains functionality, and all the log messages go to the same place. You can either process the logs periodically, or you stop logging the packets with ipchains and use an alternate facility to watch for (and log) nimbda traffic (like snort).
Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ----- Original Message ----- From: "Sergio Morilla" <[EMAIL PROTECTED]> To: "Leaf-user@lists. sourceforge. net (E-mail)" <[EMAIL PROTECTED]> Sent: Tuesday, December 04, 2001 12:05 PM Subject: [Leaf-user] Alternate loging Hi, My ISP has some sites that have different versions of nimda on their servers. I am constantly being scaned on port 80. I know there should be a way to log this on an alternate log file. A fragment of syslog.conf looks *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages ipchains uses facility "kernel" and level "info" So I was hoping to set a rule kernel.info -/var/log/nimda but this matches "all" ipchains messages!!! Is there any way I can select only messages that have are sent to 255.255.255.255:80 and have the SYN flag diverted to /var/log/nimda?? Thanks in advance Sergio _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
