Re: [logs] nmap, iptables and logging

From: Jeremy W. Chalfant (jeremy@private)
Date: Mon Jan 31 2005 - 14:30:11 PST

I suppose you could look for specific patterns like a burst of packets
from the same host targeting different ports on your server.  Typically
a port scan will probe a number of well known ports like
21,22,23,25,80,443,3389,8080 etc....  Look for these patterns in quick
succession.  More than likely there is documentation and research on
this type of stuff, much more that I could tell you.

A better bet is to look into programs like psad -- Port Scanning Attack
Detection Daemon -- , or if you are
REALLY serious try prelude-ids -- or snort --  The last two not only have ways of monitoring
what crosses a network but also support log monitoring.

Good luck with the project, let me know how it goes. 


On Sat, 2005-01-29 at 18:18 +0000, Sujit wrote:
> Hi,
> thank you for replying to my earlier mail reagarding RH9 logs.
> as per the suggestion i used the command :
>    iptables -t filter -I INPUT -j LOG
> essentially, i wanted it to log all the nmap scans i peformed.
> however, in this case the log entry in the /var/log/messages is:
> Jan 29 00:03:13 localhost kernel: IN=lo OUT=
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=
> DST= LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35825 DF PROTO=TCP
> SPT=32837 DPT=631 WINDOW=32767 RES=0x00 SYN URGP=0 
> though i get information about the particular packet in the log, how
> am i essentially going to tell whether i have performed a portscan/OS
> fingerprinting etc.?
> is there some other interpretation of these log messages so as to tell
> whether nmap did indeed perform a portscan, and on a particular port?
> if nmap is run, then is there a way to tell that a particular type of
> attack was indeed carried out on the system, by looking at the logs?
> Sujit.
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private

LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Tue Feb 01 2005 - 04:27:56 PST