[logs] nmap, iptables and logging

From: Sujit (skproject23@private)
Date: Sat Jan 29 2005 - 10:18:29 PST


thank you for replying to my earlier mail reagarding RH9 logs.

as per the suggestion i used the command :

   iptables -t filter -I INPUT -j LOG

essentially, i wanted it to log all the nmap scans i peformed.

however, in this case the log entry in the /var/log/messages is:

Jan 29 00:03:13 localhost kernel: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35825 DF PROTO=TCP SPT=32837 DPT=631 WINDOW=32767 RES=0x00 SYN URGP=0 

though i get information about the particular packet in the log, how am i essentially going to tell whether i have performed a portscan/OS fingerprinting etc.?

is there some other interpretation of these log messages so as to tell whether nmap did indeed perform a portscan, and on a particular port?

if nmap is run, then is there a way to tell that a particular type of attack was indeed carried out on the system, by looking at the logs?


LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Sat Jan 29 2005 - 10:48:41 PST