RE: Recent Increase in Port 139 Activity

From: John Campbell (jcampbellat_private)
Date: Fri Sep 07 2001 - 16:34:10 PDT

Next message: Florian Piekert: "code red attacks and real-time blackhole'ng"

Previous message: Frank Knobbe: "RE: Recent Increase in Port 139 Activity"
Maybe in reply to: John Campbell: "Recent Increase in Port 139 Activity"
Next in thread: H C: "Re: Recent Increase in Port 139 Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Our environment is mixed Windows and Unix - Linux and AIX.  I configure
syslog on firewalls to give me the level of data I'm interested in - the
more critical stuff.  I collect syslog from my firewalls on Windows boxes
using WinSyslog by Adiscon Software (www.winsyslog.com.)  This is a fine
product that is quite reasonably priced (about $50 per server in small
quantities.)  Syslog on Linux would be equivalent in functionality, and of
course, free.

Thanks to CodeRed, all this syslog builds up at the rate of about 100 MB per
log server per day!  I used Perl for the Win32 environment (Active State) to
write my log crunching programs.  They go through all the log, extract the
activity I'm most interested in, and summarize the rest.  I run these
programs every day for certain firewalls and web servers.  They take awhile
to run but otherwise are little trouble to manage.

I'm a fairly experienced programmer but fairly new to perl, so my programs,
though well documented, do not yet reflect very 'idiomatic' or even very
efficient perl, so might not be too cool to some.  I would certainly be
willing to share them, though, if anyone's interested.

Wishing you success with logs and Linux - John Campbell

-----Original Message-----
From: Richard Garand [mailto:krogoth2at_private]
Sent: Friday, September 07, 2001 4:20 PM
To: Frank Knobbe; John Campbell
Subject: Re: Recent Increase in Port 139 Activity


I'm working on setting up my first linux server, and I will be configuring 
some security and logging, and I was wondering how you find things like
this, 
and how much time you spend on this. Do you have some script that will scan 
the logs and present a summary? Do you check your logs daily? Thanks in 
advance for any advince you can give me.
-- 
Richard Garand
krogoth2at_private, r.garandat_private
(L)ICQ: 12190132
"I don't know about you all, but I'm gonna be partying like it's
999,999,999" 
- seen on slashdot

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Florian Piekert: "code red attacks and real-time blackhole'ng"
Previous message: Frank Knobbe: "RE: Recent Increase in Port 139 Activity"
Maybe in reply to: John Campbell: "Recent Increase in Port 139 Activity"
Next in thread: H C: "Re: Recent Increase in Port 139 Activity"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 16:38:10 PDT