hi all anyone advise pls what shud be best way of writing syslog.conf ..? i mean best when logging of all the security events gets enabled in the unix server.this will help me alot in capturing all events in files...like /var/log/messages any users ...who did the setups this way..? also any of u working Purely on BSDi Unix pls revert...some points for discussion requried...the docs for bsdi on internet is too less it seems. regds abhinav >From: loganalysis-requestat_private >Reply-To: loganalysisat_private >To: loganalysisat_private >Subject: LogAnalysis digest, Vol 1 #41 - 3 msgs >Date: Fri, 11 Oct 2002 12:00:04 +0000 > >Send LogAnalysis mailing list submissions to > loganalysisat_private > >To subscribe or unsubscribe via the World Wide Web, visit > http://lists.shmoo.com/mailman/listinfo/loganalysis >or, via email, send a message with subject or body 'help' to > loganalysis-requestat_private > >You can reach the person managing the list at > loganalysis-adminat_private > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of LogAnalysis digest..." > > >Today's Topics: > > 1. slapper logfile marks .. (Jose Nazario) > 2. Re: compress log error (was PIX logging) (Daniel Deremiah) > 3. Fight Back (Ganu Skop) > >--__--__-- > >Message: 1 >Date: Tue, 8 Oct 2002 10:10:01 -0400 (EDT) >From: Jose Nazario <joseat_private> >To: loganalysisat_private >Subject: [logs] slapper logfile marks .. > >trying to see if these are telltale signs of a slapper request. looking >at the worm's source code it makes a http request for /: > >GET HTTP/1.1 > >(note that its incomplete for the 1.1 spec, its missing the host: >declaration.) it then sends two ssl connections to try and overflow the >key exchange for SSLv2. > >this would explain this logfile pattern i have seen with an apache >installation. the first request looks like the problem in the port 80 >server fingerprinting: > >[Sun Oct 6 03:25:18 2002] [error] [client 202.133.158.195] client sent >HTTP/1.1 request without hostname (see RFC2068 section 9, and 14.23): / > >with followups immediately with SSL errors: > >[Sun Oct 6 03:25:37 2002] [error] mod_ssl: SSL handshake interrupted by >system [Hint: Stop button pressed in browser?!] (System error follows) >[Sun Oct 6 03:25:37 2002] [error] System: Connection reset by peer >(errno: 104) > >unfortunately the error log doesn't report the SSL client who made the >errors. > >anyhow, is this the pattern other people have been seeing for slapper >hosts? > >___________________________ >jose nazario, ph.d. joseat_private > http://www.monkey.org/~jose/ > > > >--__--__-- > >Message: 2 >Date: Wed, 9 Oct 2002 13:09:08 -0700 (PDT) >From: Daniel Deremiah <Daniel.Deremiahat_private> >To: Allen Crawford <AllenCat_private> >Subject: Re: [logs] compress log error (was PIX logging) > >remove the compress line and add the gzip command to the postrotate >sequence. What is happening is you are renaming the file out of under the >rotate script. > >-- >-dand > >============================================================= >Dan Deremiah Unix System Administrator >Wind River Systems, Alameda CA 510/749-2033 Desk >============================================================= > >On Fri, 6 Sep 2002, Allen Crawford wrote: > > > Ok, I've got the PIX logging working now I believe. I had to create a > > separate logrotate script and run it at a specific time (11:55pm) >because I > > just realized that the daily cron job was running at 4:02 pm, which >isn't > > when I want my Cisco logs to be rotated. > > > > Anyway, the only problem I'm having now is getting them to compress. >Here's > > the logrotate script for the PIX that I'm using: > > > > /var/log/cisco_pix_515e/pix { > > daily > > rotate 4 > > create > > compress > > postrotate > > /usr/bin/killall -HUP syslogd; mv > > /var/log/cisco_pix_515e/pix.1 /var/log/cisco_pix_515e/pix$(date +%Y%m%d) > > endscript > > } > > > > > > For testing I'm calling it with the following line: > > > > logrotate -f /etc/cisco_pix_515e_logrotate_script > > > > After running that, it rotates it correctly and starts logging to the >new > > file. However, with the compress line left in the script, I get the > > following error: > > > > gzip: /var/log/cisco_pix_515e/pix.1: No such file or directory > > failed to compress log /var/log/cisco_pix_515e/pix.1 > > > > Any tips on what I am doing wrong here? > > > > Thanks a lot, > > Allen > > _______________________________________________ > > LogAnalysis mailing list > > LogAnalysisat_private > > http://lists.shmoo.com/mailman/listinfo/loganalysis > > > > > >--__--__-- > >Message: 3 >Date: Wed, 9 Oct 2002 21:04:06 -0700 (PDT) >From: Ganu Skop <skopganuat_private> >To: loganalysisat_private >Subject: [logs] Fight Back > >Hi all, >I could not recall if there is any discussion on the >matter regarding detecting a tool that is used for >_doing_evil_stuff. >What I am trying to do is ; to be able to detect >what kind of tool that is used in >probing/scanning/evil_stuff. >Most IDS will detect if there is hping2, nmap , >cybercop. But what abt other ? such as nemesis and >most of web scanner such as stealth, screaming cobra, >nikto ? >I really hope to be able to sort out what kind of >command that is used when an intruder uses nmap ( be >it nmap -sX, -sS , -sT and etc) > >Thanks >-skop > > > >===== >//skopganu > >__________________________________________________ >Do you Yahoo!? >Faith Hill - Exclusive Performances, Videos & More >http://faith.yahoo.com > > >--__--__-- > >_______________________________________________ >LogAnalysis mailing list >LogAnalysisat_private >http://lists.shmoo.com/mailman/listinfo/loganalysis > > >End of LogAnalysis Digest _________________________________________________________________ Internet access plans that fit your lifestyle -- join MSN. http://resourcecenter.msn.com/access/plans/default.asp _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Oct 25 2002 - 09:22:20 PDT