Analyzator logu firewallu
Dalibor Straka
dast na panelnet.cz
Pátek Listopad 28 13:04:05 CET 2003
Dobry den,
jiste zarizeni (Server Iron XL/G) je desne hloupe, ale umi posilat logy
vseho co se v nem deje po siti na jiny pocitac. I ucinil jsem tak a nyni
je chci zpracovat. Casto se objevuji takoveto zaznamy
Nov 28 12:42:06 serveriron list 125 denied tcp 147.32.111.24(4411) (Ethernet 25 0003.4b42.3a05) -> 1.2.3.12(135), 1 packets
Nov 28 12:42:06 serveriron list 125 denied tcp 147.32.111.24(4412) (Ethernet 25 0003.4b42.3a05) -> 1.2.3.13(135), 1 packets
Nov 28 12:42:06 serveriron list 125 denied tcp 147.32.111.24(4414) (Ethernet 25 0003.4b42.3a05) -> 1.2.3.15(135), 1 packets
Nov 28 12:42:06 serveriron list 125 denied tcp 147.32.111.24(4415) (Ethernet 25 0003.4b42.3a05) -> 1.2.3.16(135), 1 packets
Nov 28 12:42:06 serveriron list 125 denied tcp 147.32.111.24(4416) (Ethernet 25 0003.4b42.3a05) -> 1.2.3.17(135), 1 packets
Nov 28 12:42:06 serveriron list 125 denied tcp 147.32.111.24(4417) (Ethernet 25 0003.4b42.3a05) -> 1.2.3.18(135), 1 packets
Nov 28 12:42:06 serveriron list 125 denied tcp 147.32.111.24(4420) (Ethernet 25 0003.4b42.3a05) -> 1.2.3.21(135), 1 packets
Nov 28 12:42:06 serveriron list 125 denied tcp 147.32.111.24(4421) (Ethernet 25 0003.4b42.3a05) -> 1.2.3.22(135), 1 packets
Nov 28 12:42:06 serveriron list 125 denied tcp 147.32.111.24(4422) (Ethernet 25 0003.4b42.3a05) -> 1.2.3.23(135), 1 packets
Nov 28 12:42:06 serveriron list 125 denied tcp 147.32.111.24(4423) (Ethernet 25 0003.4b42.3a05) -> 1.2.3.24(135), 1 packets
Koukal jsem na logdog, scan alert, snort atd. Potreboval bych, aby mi
prislusny program ohlasil ze 147.32.111.24 je zly pocitac, a poslal mi
mailem jeho IP. Snort neumi analyzovat logy, pouze demonuje. Scan alert
jsem pouzival AFAIK je pro iptables. Logdog zase umi odchytavat jednu
zpravu, ale ja potreguji reakci na jiste mnozstvi zprav.
Kdybyste neco znali...
Diky Dalibor
Další informace o konferenci Linux