Security Incidents mailing list archives

Re: FW-1 log analysis tool

From: lance () SPITZNER NET (Lance Spitzner)
Date: Sat, 10 Jun 2000 08:55:58 -0500


On Fri, 9 Jun 2000, Chew Poh Chang (CAPL) wrote:

In particular, I am looking for a tool which highlights the security
incidents from a firewall-1 log, I dont care about bandwidth utilisation,
web site hits, top X sources/destinations (except where this might indicate
a scan/hack attempt.)


I developed a shell script that does just this, but with real time
alerting capability.  I and other have been using it for quite a while
with great success.

http://www.enteract.com/~lspitz/intrusion.html

hope that helps :)

Lance Spitzner
http://www.enteract.com/~lspitz/papers.html

Current thread:

Re: Port 6347, (continued)
- - - Re: Port 6347 Brian Macke (Jun 08)
    - Re: Port 6347 Henry F. Marquardt (Jun 09)
    - Re: What is this guy doing? Greg A. Woods (Jun 08)
    - Port-scans from visited web-sites? Peter Bates (Jun 07)
    - Re: Port-scans from visited web-sites? Joe McAlerney (Jun 08)
    - Re: Port-scans from visited web-sites? Greg A. Woods (Jun 08)
    - Re: Port-scans from visited web-sites? Erich Meier (Jun 10)
    - scan log Max Gribov (Jun 11)
    - Re: scan log Jason Witty (Jun 12)
    - FW-1 log analysis tool Chew Poh Chang (CAPL) (Jun 08)
    - Re: FW-1 log analysis tool Lance Spitzner (Jun 10)
    - Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
    - port 12345 scanning Luke Dudney (Jun 11)
    - Protocol 54 M J (Jun 07)
    - Re: very strange scan patterns Ejovi Nuwere (Jun 07)
    - hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
    - Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
    - UDP Port 2078 Dundo (Jun 08)
    - New KAK worm distribution out Roy Wilson (Jun 08)
    - Re: hacked @home with logs and info.. Randy Mclean (Jun 09)
  - port 65535 and protocol 171 !? Jürgen Bauer (Jun 05)

(Thread continues...)