Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: protocol watcher

From: Jose Nazario <jose () monkey org>
Date: Wed, 23 Apr 2003 10:22:29 -0400 (EDT)
On Tue, 22 Apr 2003, Justin Pryzby wrote:


My question: does something like this exist?


many years ago on an exposed mail server i ran i did kernel logging of tcp
connections. "accepted" or "reject" with src ip and src port and dst port
... yeah, it ws useful but only when parsed. the trick is not in logging
its in sifting through it to find interesting bits.

i wound up writing some very convoluted awk/shell scripts to parse all of
my logs and correlate data. however, it worked. i detected slow scans and
all sorts of attempts before anything unwanted had happened.

focus your efforts on data mining. generation is trivial in comparison.

___________________________
jose nazario, ph.d.                     jose () monkey org
                                        http://www.monkey.org/~jose/

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: