Re: Tools for monitoring port scans / connection attmempts?

From: Dan Glass (djglassat_private)
Date: Thu Aug 14 2003 - 05:14:35 PDT

Next message: steveat_private: "Re: Tools for monitoring port scans / connection attmempts?"

Previous message: Bruce Martins: "RE: Blaster Variant - W32.Blaster.B.Worm"
In reply to: edelweiss: "Re: Tools for monitoring port scans / connection attmempts?"
Next in thread: steveat_private: "Re: Tools for monitoring port scans / connection attmempts?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

you may want to try ACID (
http://www.andrew.cmu.edu/~rdanyliw/snort/snortacid.html )

it logs snort alerts into a database and can be used for data mining and
graphing purposes (for the management-types out there). i sucessfully
deployed an ACID machine a few months ago and have been very pleased
with the results.

dan

edelweiss wrote:
> 
> Look for portsentry and logcheck.  Used to be available from 
> www.psionic.com
> before Psionic got bought out by Cisco.  I think there are mirrors of 
> the source
> code, though, if you do a quick search via google.
> 
> Tony
> 
> steveat_private wrote:
> 
>>  I see a lot of people upon this list able to keep records
>> of increases in port scans over time.
>>
>>  For example it's common for a post to come through from a
>> member asking about new scans on port foo - and a reply coming
>> back saying "yes seen xxx of those since the 1st of xxx".
>>
>>  Can I ask what software are you using to record these logs?
>>
>>  I know that some firewall systems, like ipchains, or iptables
>> will allow logs to be generated to syslog.  However these are
>> not terribly interesting to read - and they are hard to keep
>> track of.
>>
>>  I'm using a homebrewed system where I have a perl script
>> capturing packets dumping source ip+port and destination ip+port
>> to a database.  This way I can produce pretty graphs showing
>> scans of particular ports over time.
>>
>>  (I'd  be happy to release it if theres any interest).
>>
>> Steve
>> -- 
>>
>> --------------------------------------------------------------------------- 
>>
>> ---------------------------------------------------------------------------- 
>>
>>
>>
>>
>>  
>>
> 
> 
> 
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------- 
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/O30x/gwMYT/x34oRAl/0AJ43BPeCn8+yuvyQ4vWyi1daceC9jACdEZPf
F6ZWONLjC1ByQEqkBABmRr0=
=G7cn
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: steveat_private: "Re: Tools for monitoring port scans / connection attmempts?"
Previous message: Bruce Martins: "RE: Blaster Variant - W32.Blaster.B.Worm"
In reply to: edelweiss: "Re: Tools for monitoring port scans / connection attmempts?"
Next in thread: steveat_private: "Re: Tools for monitoring port scans / connection attmempts?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 11:38:53 PDT