On Mon, May 28, 2007 at 10:35:41AM +0200, Tang Tse wrote:
> 2007/5/8, Alberich de megres <[EMAIL PROTECTED]>:
> > On 5/8/07, Joachim Schipper <[EMAIL PROTECTED]> wrote:
> > > On Tue, May 08, 2007 at 10:45:36AM +0200, Alberich de megres wrote:
> > > > I'm new on the openbsd world..i came from linux world :P And i
> > > > got a question about logs
> > > >
> > > > In linux i used logwatch, i know that i can use it on openbsd.
> > > > But is there some other option in openbsd world? what about
> > > > snort? what way you use to analyze logs in rout firewall or
> > > > workstations?
> > >
> > > For log analysis, which is different from analyzing bandwidth and
> > > such, there are plenty of systems. I'd urge you to look at
> > > something that reports anything unknown, though, at least if
> > > you're using a log analyzer to point you at things that need
> > > fixing (as opposed to creating statistics, auto-blacklisting in
> > > response to SSH bruteforce attempts, and so on and so forth).
> > >
> > > Personally, I use SEC (sysutils/sec) for general log handling.
> > > It's pretty powerful, not too hard to use, and can be made to work
> > > in blacklist mode (search the web). I add pflogsumm
> > > (mail/pflogsumm) to handle all Postfix logs, mostly because SEC
> > > isn't that good at statistics (though you can get it to execute
> > > external programs...)
> >
> > Can Pfstat make per source ip ( for local lan for example ) statistics?
> >
> > I heared nice things about SEC,i will take a looks a both.
>
> Retaking this mail thread,
>
> One question about: which you think is best? snort+sec? or pf+sec?
Snort and pf are network security technologies; the first is an
intrusion detection system and the latter is a packet filter. SEC can be
used as a log watcher.
Those are different technologies; I think you might be a bit confused.
Snort+SEC is most likely not the best choice (look at anything from BASE
to Prelude for analysing and/or monitoring Snort logs), and I don't know
what output of pf you want to feed to SEC.
I'd recommend setting up pf first, log watching second, and ignoring
Snort altogether. This is OpenBSD; vulnerabilities are rare, and if they
appear, upgrading the vulnerable system is less work than upgrading the
IDS. And the first actually makes you more secure.
Joachim
--
TFMotD: gem (4) - GEM 10/100/Gigabit Ethernet device
