Ola, eu to com o mesmo problema... como vc resolveu?
[]s ----- Original Message ----- From: "Fabiano Carlos Heringer" <[EMAIL PROTECTED]> To: "linux-br" <[EMAIL PROTECTED]> Sent: Friday, March 19, 2004 6:56 PM Subject: Re: (linux-br)barrando ataques com snort+guardian > no /var/log/guardian.log > temos: > Odd.. source = 192.168.0.3, dest = 200.221.1.86. No action done. > Odd.. source = 192.168.0.3, dest = 200.221.1.86. No action done. > Odd.. source = 192.168.0.3, dest = 200.221.1.86. No action done. > Odd.. source = 192.168.0.7, dest = 64.157.165.249. No action done. > Odd.. source = 192.168.0.7, dest = 64.157.165.249. No action done. > Odd.. source = 192.168.0.2, dest = 192.168.0.2. No action done. > Odd.. source = 192.168.0.2, dest = 192.168.0.2. No action done. > Odd.. source = 192.168.0.2, dest = 192.168.0.2. No action done. > > e muito mais... > > no /var/log/messages > sobre snort e guardian as unicas mensagens sao da inicializa��o... > mas vai l�: > > Mar 19 11:41:35 servidor snort: Initializing daemon mode > Mar 19 11:41:35 servidor snort: PID path stat checked out ok, PID path set > to /var/run/ > Mar 19 11:41:35 servidor snort: Writing PID "2352" to file > "/var/run//snort_eth0.pid" > Mar 19 11:41:35 servidor snort: ,-----------[Flow > Config]---------------------- > Mar 19 11:41:35 servidor snort: | Stats Interval: 0 > Mar 19 11:41:35 servidor snort: | Hash Method: 2 > Mar 19 11:41:35 servidor snort: | Memcap: 10485760 > Mar 19 11:41:35 servidor snort: | Rows : 4099 > Mar 19 11:41:35 servidor snort: | Overhead Bytes: 16400(%0.16) > Mar 19 11:41:35 servidor snort: > `---------------------------------------------- > Mar 19 11:41:35 servidor snort: HttpInspect Config: > Mar 19 11:41:35 servidor snort: GLOBAL CONFIG > Mar 19 11:41:35 servidor snort: Max Pipeline Requests: 0 > Mar 19 11:41:35 servidor snort: Inspection Type: STATELESS > Mar 19 11:41:35 servidor snort: Detect Proxy Usage: NO > Mar 19 11:41:35 servidor snort: IIS Unicode Map Filename: > /etc/unicode.map > Mar 19 11:41:35 servidor snort: IIS Unicode Map Codepage: 1252 > Mar 19 11:41:35 servidor snort: DEFAULT SERVER CONFIG: > Mar 19 11:41:35 servidor snort: Ports: > Mar 19 11:41:35 servidor snort: 80 > Mar 19 11:41:35 servidor snort: 8080 > Mar 19 11:41:35 servidor snort: 8180 > Mar 19 11:41:35 servidor snort: > Mar 19 11:41:35 servidor snort: Flow Depth: 300 > Mar 19 11:41:35 servidor snort: Max Chunk Length: 500000 > Mar 19 11:41:35 servidor snort: Inspect Pipeline Requests: YES > Mar 19 11:41:35 servidor snort: URI Discovery Strict Mode: NO > Mar 19 11:41:35 servidor snort: Allow Proxy Usage: NO > Mar 19 11:41:35 servidor snort: Disable Alerting: NO > Mar 19 11:41:35 servidor snort: Oversize Dir Length: 500 > Mar 19 11:41:35 servidor snort: Only inspect URI: NO > Mar 19 11:41:36 servidor snort: Ascii: YES alert: NO > Mar 19 11:41:36 servidor snort: Double Decoding: YES alert: YES > Mar 19 11:41:36 servidor snort: %U Encoding: YES alert: YES > Mar 19 11:41:36 servidor snort: Bare Byte: YES alert: YES > Mar 19 11:41:36 servidor snort: Base36: OFF > Mar 19 11:41:36 servidor snort: UTF 8: OFF > Mar 19 11:41:36 servidor snort: IIS Unicode: YES alert: YES > Mar 19 11:41:36 servidor snort: Multiple Slash: YES alert: NO > Mar 19 11:41:36 servidor snort: IIS Backslash: YES alert: NO > Mar 19 11:41:36 servidor snort: Directory: YES alert: NO > Mar 19 11:41:36 servidor snort: Apache WhiteSpace: YES alert: YES > Mar 19 11:41:36 servidor snort: IIS Delimiter: YES alert: YES > Mar 19 11:41:36 servidor snort: IIS Unicode Map: GLOBAL IIS UNICODE > MAP CONFIG > Mar 19 11:41:36 servidor snort: Non-RFC Compliant Characters: > Mar 19 11:41:36 servidor snort: NONE > Mar 19 11:41:36 servidor snort: > Mar 19 11:41:36 servidor snort: rpc_decode arguments: > Mar 19 11:41:36 servidor snort: Ports to decode RPC on: 111 32771 > Mar 19 11:41:36 servidor snort: alert_fragments: INACTIVE > Mar 19 11:41:36 servidor snort: alert_large_fragments: ACTIVE > Mar 19 11:41:36 servidor snort: alert_incomplete: ACTIVE > Mar 19 11:41:36 servidor snort: alert_multiple_requests: ACTIVE > Mar 19 11:41:36 servidor snort: Snort initialization completed successfully > > o acesso aos logs estao todo liberados, imaginei q pudesse ser isso...mas > est� OK > > []�s > > (espero que o moderador nao me barre hehehe) > Que te mostra los logs do caso ??? > > /var/log/message > /var/log/guardian (o donde este) > > Tem liberado a leitura dos logs do snort para o guardian ??? > > > -------------------------------------------------------------------------- - > Esta lista � patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br > > Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br > Regras de utiliza��o da lista: http://linux-br.conectiva.com.br > FAQ: http://www.zago.eti.br/menu.html --------------------------------------------------------------------------- Esta lista � patrocinada pela Conectiva S.A. Visite http://www.conectiva.com.br Arquivo: http://bazar2.conectiva.com.br/mailman/listinfo/linux-br Regras de utiliza��o da lista: http://linux-br.conectiva.com.br FAQ: http://www.zago.eti.br/menu.html
