Hi, thank you for replying to my earlier mail reagarding RH9 logs. as per the suggestion i used the command : iptables -t filter -I INPUT -j LOG essentially, i wanted it to log all the nmap scans i peformed. however, in this case the log entry in the /var/log/messages is: Jan 29 00:03:13 localhost kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35825 DF PROTO=TCP SPT=32837 DPT=631 WINDOW=32767 RES=0x00 SYN URGP=0 though i get information about the particular packet in the log, how am i essentially going to tell whether i have performed a portscan/OS fingerprinting etc.? is there some other interpretation of these log messages so as to tell whether nmap did indeed perform a portscan, and on a particular port? if nmap is run, then is there a way to tell that a particular type of attack was indeed carried out on the system, by looking at the logs? Sujit. _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Sat Jan 29 2005 - 10:48:41 PST