Re: Advanced Logging

[Mart Frauenlob <mart.frauenlob@chello.at>]

On 03.06.2010 20:15, ratheesh k wrote:
> 2010/5/30 Tomáš Vlček <tomasvlcek@gmail.com>:


>>>           I have implemented  firewall  in my linux machine using
>>> iptables . It is able to prevent attacks and LOG just before dropping
>>> packets . Since i know a little about iptables , i could go thru
>>> /var/log/messages and find out information about attacks . Is there
>>> any application which will analyze logs and  give a brief information
>>> to user about the attacks  ?
>>>
>>> For example , suppose there was a syn flood attack ,the application
>>> should analyse the /var/log/messages or by some means should know
>>> about the attack and let the user know about that .If there is no
>>> application ,  could you give some hints on how to develop an
>>> application .Any comment is  appreciated .


>> Maybe psad (Port Scan Attack Detector) is that what are you looking
>> for. Check http://cipherdyne.org/psad/index.html.
>
> I gone through the link . It seems to be heavy for my embedded
application .
>
> My embedded box is a router with two inerfaces - wan0 and lan0 . I
> should get information regarding various attacks tried on lan clients
> .I have some implementation in mind .(see below )
>
> 1  Is there any tool fit my requirement or  there any tool , i can do
> a little  modification in code   and use .
> 2 . Is my idea feasible to implement ? . Is it worth implementing ,
> because it is run as part of softirq_rx kernel thread . Will it dampen
> performance ?
> 3 . Could i do this as part of connection tracking module . If , could
> you guide  a little ?
>
snort (snort.org) comes into my mind here.
afaik it has the ability to create inline iptables rules.
maybe worth a look?


best regards

mart