Collecting Logs

[Previous Chapter] [Previous Page] [Contents] [Next Page] [Next Chapter] 

doolin$ (head -3 kun.log; tail -3 kun.log) | fold -w 55
Jul 12 16:46:50 beer ipmon[277]: [ID 702911 auth.alert]
 16:46:50.179228  le0 @0:25 b 131.174.117.202,62315 ->
134.60.66.19,21 PR tcp len 20 48 -S IN
Jul 12 16:46:50 beer ipmon[277]: [ID 702911 auth.alert]
 16:46:50.179228  le0 @0:25 b 131.174.117.202,62315 ->
134.60.66.19,21 PR tcp len 20 48 -S IN
Jul 12 16:46:50 morawetz ipmon[97]: [ID 702911 auth.ale
rt] 16:46:50.215188  le0 @0:25 b 131.174.117.202,62325
-> 134.60.66.29,21 PR tcp len 20 48 -S IN
Jul 12 17:07:05 virgo ipmon[285]: [ID 702911 auth.alert
] 17:07:04.500080 hme0 @0:25 b 131.174.117.202,63262 ->
 134.60.166.133,21 PR tcp len 20 48 -S IN
Jul 12 17:07:05 serpens ipmon[283]: [ID 702911 auth.ale
rt] 17:07:04.496455 hme0 @0:25 b 131.174.117.202,63258
-> 134.60.166.129,21 PR tcp len 20 48 -S IN
Jul 12 17:07:05 serpens ipmon[283]: [ID 702911 auth.ale
rt] 17:07:04.496455 hme0 @0:25 b 131.174.117.202,63258
-> 134.60.166.129,21 PR tcp len 20 48 -S IN
doolin$

*The collection of firewall logs and snort logs of all machines into one log allows to detect scans.
 
*In this example we had a scan which took 21 minutes to check for FTP servers on 113 machines in our networks.
 
*All detected FTP servers were immediately explored...
 

[Previous Chapter] [Previous Page] [Contents] [Next Page] [Next Chapter]
Copyright © 2001, 2002 Andreas Borchert, converted to HTML on April 07, 2002