RE: [Leaf-user] Alternate loging
The obvious question is... Where can I get syslog-ng.lrp and some info about it?? -Mensaje original- De: David Douthitt [mailto:[EMAIL PROTECTED]] Enviado el: Tuesday, December 04, 2001 15:25 Para: LEAF Users List Asunto: Re: [Leaf-user] Alternate loging Sergio Morilla wrote: My ISP has some sites that have different versions of nimda on their servers. I am constantly being scaned on port 80. I know there should be a way to log this on an alternate log file. ipchains uses facility kernel and level info So I was hoping to set a rule kernel.info -/var/log/nimda but this matches all ipchains messages!!! Is there any way I can select only messages that have are sent to 255.255.255.255:80 and have the SYN flag diverted to /var/log/nimda?? syslog-ng could do this, but I don't think syslogd can; syslog-ng is bigger but appropriately MUCH more powerful. You can split up logs in almost any way you can think of... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Alternate loging
Logging is kind of all or nothing with the standard ipchains functionality, and all the log messages go to the same place. You can either process the logs periodically, or you stop logging the packets with ipchains and use an alternate facility to watch for (and log) nimbda traffic (like snort). Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) - Original Message - From: Sergio Morilla [EMAIL PROTECTED] To: Leaf-user@lists. sourceforge. net (E-mail) [EMAIL PROTECTED] Sent: Tuesday, December 04, 2001 12:05 PM Subject: [Leaf-user] Alternate loging Hi, My ISP has some sites that have different versions of nimda on their servers. I am constantly being scaned on port 80. I know there should be a way to log this on an alternate log file. A fragment of syslog.conf looks *.=info;*.=notice;*.=warn;\ auth,authpriv.none;\ cron,daemon.none;\ mail,news.none -/var/log/messages ipchains uses facility kernel and level info So I was hoping to set a rule kernel.info -/var/log/nimda but this matches all ipchains messages!!! Is there any way I can select only messages that have are sent to 255.255.255.255:80 and have the SYN flag diverted to /var/log/nimda?? Thanks in advance Sergio ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Alternate loging
Sergio Morilla wrote: The obvious question is... Where can I get syslog-ng.lrp and some info about it?? I don't think I was successful at making a package it also requires a library called libol. I've been running syslog-ng on several full distributions here for some time. I'm not sure if it can be compiled with glibc 2.0.7 or not; this step is necessary if you are using any production LEAF system. Oxygen development versions are already using glibc 2.1.3, and there is at least one Dachstein CDROM which has been converted to glibc 2.1.3. One thing I've done is installed programs on a full distribution, taking care with library versions, then used the precompiled binaries to create the package from. You can do this by getting a Red Hat 5.2 RPM and loading it on any production RPM-based system, for example. Otherwise, if you've 5.2 in the back room, just take the tar.gz file and compile it and install it - the put the binaries into a package... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user