Security Incidents mailing list archives
RE: Recent Increase in Port 139 Activity
From: John Campbell <jcampbell () wsipc org>
Date: Fri, 7 Sep 2001 16:34:10 -0700
Our environment is mixed Windows and Unix - Linux and AIX. I configure syslog on firewalls to give me the level of data I'm interested in - the more critical stuff. I collect syslog from my firewalls on Windows boxes using WinSyslog by Adiscon Software (www.winsyslog.com.) This is a fine product that is quite reasonably priced (about $50 per server in small quantities.) Syslog on Linux would be equivalent in functionality, and of course, free. Thanks to CodeRed, all this syslog builds up at the rate of about 100 MB per log server per day! I used Perl for the Win32 environment (Active State) to write my log crunching programs. They go through all the log, extract the activity I'm most interested in, and summarize the rest. I run these programs every day for certain firewalls and web servers. They take awhile to run but otherwise are little trouble to manage. I'm a fairly experienced programmer but fairly new to perl, so my programs, though well documented, do not yet reflect very 'idiomatic' or even very efficient perl, so might not be too cool to some. I would certainly be willing to share them, though, if anyone's interested. Wishing you success with logs and Linux - John Campbell -----Original Message----- From: Richard Garand [mailto:krogoth2 () softhome net] Sent: Friday, September 07, 2001 4:20 PM To: Frank Knobbe; John Campbell Subject: Re: Recent Increase in Port 139 Activity I'm working on setting up my first linux server, and I will be configuring some security and logging, and I was wondering how you find things like this, and how much time you spend on this. Do you have some script that will scan the logs and present a summary? Do you check your logs daily? Thanks in advance for any advince you can give me. -- Richard Garand krogoth2 () softhome net, r.garand () sk sympatico ca (L)ICQ: 12190132 "I don't know about you all, but I'm gonna be partying like it's 999,999,999" - seen on slashdot ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Recent Increase in Port 139 Activity John Campbell (Sep 07)
- Re: Recent Increase in Port 139 Activity Harlan S. Barney, Jr. (Sep 07)
- code red attacks and real-time blackhole'ng Florian Piekert (Sep 07)
- Re: code red attacks and real-time blackhole'ng red0x (Sep 08)
- Re: code red attacks and real-time blackhole'ng Sean Hunter (Sep 14)
- Re: Recent Increase in Port 139 Activity maggie (Sep 07)
- code red attacks and real-time blackhole'ng Florian Piekert (Sep 07)
- Re: Recent Increase in Port 139 Activity H C (Sep 09)
- <Possible follow-ups>
- RE: Recent Increase in Port 139 Activity Frank Knobbe (Sep 07)
- RE: Recent Increase in Port 139 Activity John Campbell (Sep 07)
- RE: Recent Increase in Port 139 Activity John Campbell (Sep 10)
- Re: Recent Increase in Port 139 Activity Harlan S. Barney, Jr. (Sep 07)