I see a lot of people upon this list able to keep records of increases in port scans over time. For example it's common for a post to come through from a member asking about new scans on port foo - and a reply coming back saying "yes seen xxx of those since the 1st of xxx". Can I ask what software are you using to record these logs? I know that some firewall systems, like ipchains, or iptables will allow logs to be generated to syslog. However these are not terribly interesting to read - and they are hard to keep track of. I'm using a homebrewed system where I have a perl script capturing packets dumping source ip+port and destination ip+port to a database. This way I can produce pretty graphs showing scans of particular ports over time. (I'd be happy to release it if theres any interest). Steve -- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 17:58:36 PDT