Alert!!

Scot L. Harris webid at cfl.rr.com
Thu Sep 16 21:00:13 UTC 2004


On Wed, 2004-09-15 at 22:41, Ow Mun Heng wrote:
> On Thu, 2004-09-16 at 09:34, Dale Sykora wrote:
> >   Do you know 
> > of any SIPTO type program or script?  SIPTO (which I just made up) means 
> > Source IP Time Out (think child behavior deterant).  It would watch the 
> > logs for admin defined bad behavior from a connecting IP and then 
> > temporarily ban that IP (time-out via iptables) for 15 minutes or so 
> > after 3 occurances in a given time frame.  For example, SME server adds 
> > a denylog line to /var/log/messages when an external IP tries to connect 
> > to a closed port.  I would like something to watch this 'tail -f?' and 
> > add an iptables rule to drop all connections from this IP address for a 
> > short time frame (extendible if other attemps are made).  I would like 
> > this to be generic enough to shut down access to zombies that try and 
> > send viruses thru my email server, or systems that think I run IIS and 
> > look for cmd.com/etc... as well.  Someone it the past mentioned an IDS, 
> > but that seems CPU/network intensive.  I simple want to watch the logs 
> > and block the bad/zombie machines that tend to fill the logs.
> 
> Wouldn't portsentry do that? Then again, portsentry would only determine
> if a port which is marked as "secure" shouldn't be touched by anyone
> except a allowed list, and will deny that IP dynamically.
> 
> On the other hand, there's swatch which will watch the logs for you
> based on regex expressions and I guess you can write a script for it to
> parse when it detects malware
> 

I think you want to look at snort for this kind of functionality.  

-- 
Scot L. Harris
webid at cfl.rr.com

Type louder, please. 





More information about the users mailing list