Security Incidents mailing list archives
Re: protocol watcher
From: Jose Nazario <jose () monkey org>
Date: Wed, 23 Apr 2003 10:22:29 -0400 (EDT)
On Tue, 22 Apr 2003, Justin Pryzby wrote:
My question: does something like this exist?
many years ago on an exposed mail server i ran i did kernel logging of tcp connections. "accepted" or "reject" with src ip and src port and dst port ... yeah, it ws useful but only when parsed. the trick is not in logging its in sifting through it to find interesting bits. i wound up writing some very convoluted awk/shell scripts to parse all of my logs and correlate data. however, it worked. i detected slow scans and all sorts of attempts before anything unwanted had happened. focus your efforts on data mining. generation is trivial in comparison. ___________________________ jose nazario, ph.d. jose () monkey org http://www.monkey.org/~jose/ ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
Current thread:
- protocol watcher Justin Pryzby (Apr 23)
- Re: protocol watcher Jose Nazario (Apr 23)