IPFW log results analysis
Remko Lodder
remko at elvandar.org
Fri Jun 18 03:42:14 PDT 2004
Jow,
Giorgos Keramidas wrote:
> On 2004-06-18 10:43, Uwe Kolsch <uwe.kolsch at wax.co.uk> wrote:
>
>>Is there a tool for FBSD like logwatch on Linux, which can provide a detailed
>>but still somehow summarized output based on the logging results of IPFW. I mean
>>more detailed than this from the daily security run:
>>
>>
>>>02010 557 48486 deny log ip from any to any out
>>>10000 1026 49716 deny ip from any to any in setup
>>>10003 3859 828227 deny ip from any to any in
>>
>>... and more like this.
>
>
> You can always write your own shell scripts to parse ipfw logs ;-)
>
> I haven't heard of any summarizing tools, but if you feel that scripting
> your own is too much it shouldn't be too hard to roll a few custom
> scripts if you tell me what you're looking for in such a report.
You can send your daily logs to dshield.org and they will give a daily
overview over what you send. They will use your information to do '
distributed IDS '. That means if you get port probed and the person
doing that hits your network and other networks regularly, there will be
a warning send out to the ISP that this person is being very abusive.
I use it myself, giving a match on my external interface and it will
send just that.
Perhaps you can view their script, (perl), and adopt it to create the
summary yourself.
>
> - Giorgos
Cheers
--
Kind regards,
Remko Lodder |remko at elvandar.org
Reporter DSINet |remko at dsinet.org
Projectleader Mostly-Harmless |remko at mostly-harmless.nl
More information about the freebsd-questions
mailing list