Re: [logs] nmap, iptables and logging

• Previous message: Jeremy W. Chalfant: "RE: [logs] SYSLOG "forwarding""
• In reply to: Sujit: "[logs] nmap, iptables and logging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I suppose you could look for specific patterns like a burst of packets
from the same host targeting different ports on your server.  Typically
a port scan will probe a number of well known ports like
21,22,23,25,80,443,3389,8080 etc....  Look for these patterns in quick
succession.  More than likely there is documentation and research on
this type of stuff, much more that I could tell you.

A better bet is to look into programs like psad -- Port Scanning Attack
Detection Daemon -- http://www.cipherdyne.org/psad , or if you are
REALLY serious try prelude-ids -- http://www.prelude-ids.org or snort --
http://www.snort.org.  The last two not only have ways of monitoring
what crosses a network but also support log monitoring.

Good luck with the project, let me know how it goes. 

Jeremy

On Sat, 2005-01-29 at 18:18 +0000, Sujit wrote:
> Hi,
> 
> thank you for replying to my earlier mail reagarding RH9 logs.
> 
> as per the suggestion i used the command :
> 
>    iptables -t filter -I INPUT -j LOG
> 
> essentially, i wanted it to log all the nmap scans i peformed.
> 
> however, in this case the log entry in the /var/log/messages is:
> 
> Jan 29 00:03:13 localhost kernel: IN=lo OUT=
> MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
> DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35825 DF PROTO=TCP
> SPT=32837 DPT=631 WINDOW=32767 RES=0x00 SYN URGP=0 
> 
> though i get information about the particular packet in the log, how
> am i essentially going to tell whether i have performed a portscan/OS
> fingerprinting etc.?
> 
> is there some other interpretation of these log messages so as to tell
> whether nmap did indeed perform a portscan, and on a particular port?
> 
> if nmap is run, then is there a way to tell that a particular type of
> attack was indeed carried out on the system, by looking at the logs?
> 
> Sujit.
> 
> 
> 
> 
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Previous message: Jeremy W. Chalfant: "RE: [logs] SYSLOG "forwarding""
• In reply to: Sujit: "[logs] nmap, iptables and logging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Tue Feb 01 2005 - 04:27:56 PST