Re: traffic logging

[damian () ITACTICS COM (Damian Gerow)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Humm...  I don't much care for PortSentry's retaliation sequence.  The
suggested action (blocking the route, adding offending host to
hosts.deny, setting up a firewall rule to deny all traffic coming from
the offending host) really turns me off - it creates a nice, simple DoS
on it's own.

For logging traffic in detail, there's a nice patch to detect port
scans.  If you go to http://www.innu.org/~sean/, you can get it there.
That, combined with ippl and generic linux logging do it great.

> > I've been seeing a lot of odd traffic on several of my
> > machines and I was
> > wondering what you folks suggest for logging traffic on a
> > single machine.
> > Several of the machines are Linux boxes, and I'd like the
> > ability to log in
> > depth.  Things I'd like to capture would include things like
> > stealth scans
> > and odd packets.
> >
> > Any suggestions?
> Not so much for traffic, but I use logcheck for any anomolies
> in the log
> files, and PortSentry to detect and react to port scans.
> They can both be
> found here:
> http://www.psionic.com/
>
>
> /*---------------------------------------------------------
> Scott McClelland, CNA
> Network Administrator
> Vortex Data Systems
> (619) 497-6400 x229
> -----------------------------------------------------------*/

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBORAo7PWPEBDMsfC4EQJ0ygCfVMoJJNVbcsG0rPaethu1d4wH7CoAnjHA
8aFJZCLAqGs9aV2tAhC7t5Wf
=v3Mr
-----END PGP SIGNATURE-----