On Tue, 22 Apr 2003, Justin Pryzby wrote: > My question: does something like this exist? many years ago on an exposed mail server i ran i did kernel logging of tcp connections. "accepted" or "reject" with src ip and src port and dst port ... yeah, it ws useful but only when parsed. the trick is not in logging its in sifting through it to find interesting bits. i wound up writing some very convoluted awk/shell scripts to parse all of my logs and correlate data. however, it worked. i detected slow scans and all sorts of attempts before anything unwanted had happened. focus your efforts on data mining. generation is trivial in comparison. ___________________________ jose nazario, ph.d. joseat_private http://www.monkey.org/~jose/ ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Apr 23 2003 - 11:51:37 PDT